23542300x800000000000000018535Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:39.316{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB17CE10CF252AF61DFB58DACA1BEC7,SHA256=AB6A50D0925D6CCCA82CCAB75F8F3BE1EF05284210C43C21E009535EBACF1816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018534Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:39.035{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018537Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:39.073{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61359-false10.0.1.12-8089- 23542300x800000000000000018536Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:40.332{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4497A6492158D682B6BE93FD8D5EB78A,SHA256=41AE4C19BC0303BA238CF783035346DB0ECC41204DC299D28F489D6FD218EF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018538Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:41.347{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A49F49F5A559F102287448CABD34C0,SHA256=0CEBAABEFEEEABCF2A0AEB428520A83DEE37DD8EF4C4D5F7AEBF27041CA0C593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018542Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:42.800{4DB9351A-A0EF-60D3-4502-00000000CF01}6812NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\C4GKG9DZH0\System.Data.Entity.ni.dll.auxMD5=0E0C7B4217E13E5BE6A91594D75B6C95,SHA256=6362BDB002908DD0F32DE752232FCB577A47883B8555A9B739AB41C6BA27F916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018541Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:42.800{4DB9351A-A0EF-60D3-4502-00000000CF01}6812NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\C4GKG9DZH0\System.Data.Entity.ni.dllMD5=E65BA76FB53892CAA894703A9A0ADF08,SHA256=D609D1847F3940DCEF413B6828A49F66C44B09BDA93DC5E79C92ED1924498899,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018540Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:42.394{4DB9351A-A0EF-60D3-4502-00000000CF01}6812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a9c-0\System.Data.Entity.dll2021-06-23 21:00:42.394 23542300x800000000000000018539Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:42.363{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CBEC21BD22134A98FF41FF383E2D51,SHA256=9EEDC3D10496F52AE3BE5C305585A433BE7EEBD1DB041936C1A888C047A15016,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018549Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.629{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A0FB-60D3-4702-00000000CF01}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018548Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.613{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A0FB-60D3-4702-00000000CF01}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018547Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.613{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A0FB-60D3-4702-00000000CF01}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018546Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.363{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3661682BA04427990D4662B2B4C7B0D2,SHA256=FBCF54972B28BEAFD1A8C62A6D5552C08D1EDFDCD631C346E1EF3CF366DF732D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018545Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.160{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A0FB-60D3-4602-00000000CF01}5536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018544Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.144{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A0FB-60D3-4602-00000000CF01}5536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018543Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.144{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A0FB-60D3-4602-00000000CF01}5536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018559Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.769{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A0FC-60D3-4802-00000000CF01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018558Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.754{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A0FC-60D3-4802-00000000CF01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018557Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.754{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A0FC-60D3-4802-00000000CF01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018556Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.104{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61360-false10.0.1.12-8000- 23542300x800000000000000018555Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.675{4DB9351A-A0FB-60D3-4702-00000000CF01}6564NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\N87OXRZWDU\System.Data.Entity.Design.ni.dll.auxMD5=D78AE825E336E1D8B522F3ACB791B74E,SHA256=E3FABB3797D2EE3D42CE663D2CBA131382EBE46CC53ABF05F7B1E75D752DDC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018554Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.675{4DB9351A-A0FB-60D3-4702-00000000CF01}6564NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\N87OXRZWDU\System.Data.Entity.Design.ni.dllMD5=9543189BB0D9B15F665FAEE34208B1D9,SHA256=7665A9266FDA3EB5E55B25DD5E037E339F3AA56369510BC48EE2EEE88DB8FC65,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018553Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:44.629{4DB9351A-A0FB-60D3-4702-00000000CF01}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19a4-0\System.Data.Entity.Design.dll2021-06-23 21:00:44.629 23542300x800000000000000018552Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.379{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317A976E8B9A9105B7F32BB6D5BCA1EA,SHA256=123441389CA377842561B191B263C0C65D10B28A8CFB6B978460C9330DB518D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018551Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.175{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5801CEB5824A9CA0F7789A9C56A43F34,SHA256=99DD7844D2215EE0053FD375F20CC2A1A233B9B4867664B3B03FCB7815F1796C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018550Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.175{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=595830EB35F9648961AAA4A7F07610E9,SHA256=707FDE8F2E0823FEB1F1D0A99DEE931FD198FC9BA5066747CF812FD58B98C307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018564Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:45.847{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5801CEB5824A9CA0F7789A9C56A43F34,SHA256=99DD7844D2215EE0053FD375F20CC2A1A233B9B4867664B3B03FCB7815F1796C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018563Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:45.472{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125F0210806F0AA3AFB749AC031EAC4F,SHA256=10B6B77129EF03A6DEABF3827AEE54EEBCFA7D68E7E9365B1746C8BD9C18F762,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018562Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:45.050{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A0FD-60D3-4902-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018561Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:45.035{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A0FD-60D3-4902-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018560Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:45.035{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A0FD-60D3-4902-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018565Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:46.707{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33AC490E747D6A33D6368A1ED50742BC,SHA256=F06EEE38ECACD0C306CA3288BACD60BC3D788D15D42ECFA976206765F4381FEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018575Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.738{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E0A1FC92E1FC1EE38EA2BF31676B9D,SHA256=3D99EF2A0E9DEA5B4BF7525AF7C6C43C2AE428E91B025CEB854A588C6059FE64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018574Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.519{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A0FF-60D3-4B02-00000000CF01}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018573Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.519{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A0FF-60D3-4B02-00000000CF01}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018572Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.519{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A0FF-60D3-4B02-00000000CF01}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018571Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.332{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A0FF-60D3-4A02-00000000CF01}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018570Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.300{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A0FF-60D3-4A02-00000000CF01}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018569Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.300{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A0FF-60D3-4A02-00000000CF01}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018568Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.222{4DB9351A-A0FD-60D3-4902-00000000CF01}7120NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4PDCRR76WG\System.Data.Linq.ni.dll.auxMD5=592CDD9EEF56381125F0387E91890DA5,SHA256=D2C21E280753A9B6085400F3387D27E0F9CEF57662C87A7B40E045E5CE2691D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018567Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.207{4DB9351A-A0FD-60D3-4902-00000000CF01}7120NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4PDCRR76WG\System.Data.Linq.ni.dllMD5=1BA7249DC58E3CE9FE2C64256CD87FF6,SHA256=1B987C3B6EDC9BDA8BC267087C678486CC88218C11D36395E2358E85628655E1,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018566Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:47.128{4DB9351A-A0FD-60D3-4902-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bd0-0\System.Data.Linq.dll2021-06-23 21:00:47.128 23542300x800000000000000018584Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.753{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46415E96E7E1280B6CC532673D1F890A,SHA256=027098843A0D80384DF4A1D910BCD67B3ED5A111BBAEE49E3D3A3F2589194A06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018583Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.597{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A100-60D3-4C02-00000000CF01}96C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018582Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.582{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A100-60D3-4C02-00000000CF01}96C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018581Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.582{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A100-60D3-4C02-00000000CF01}96C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018580Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.519{4DB9351A-A0FF-60D3-4B02-00000000CF01}6532NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DOEPHYB5V6\System.Data.OracleClient.ni.dll.auxMD5=316DF0DFAAF08F90FDB56C6B343F3C6F,SHA256=17BC3A1CF83FD0766A1C154F7E14E78A24F8514810C39B2A07BB24AC0152253C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018579Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.519{4DB9351A-A0FF-60D3-4B02-00000000CF01}6532NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DOEPHYB5V6\System.Data.OracleClient.ni.dllMD5=4002F8FE77AEB24ED3BF295A640EFCC4,SHA256=DE85C47AA51241E3A46FF5A6651E71A46D4BAB6854FC33E04A0AD211E7422B49,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018578Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:48.488{4DB9351A-A0FF-60D3-4B02-00000000CF01}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1984-0\System.Data.OracleClient.dll2021-06-23 21:00:48.488 23542300x800000000000000018577Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.316{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=078196ADEFF6A93254C5A4F1F807E9D7,SHA256=D0A4544F4F51DFFAE4009F9311AA353EF532671C6DC3BC57139ACC91BFB457F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018576Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.082{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045116C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018597Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.214{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61361-false10.0.1.12-8000- 23542300x800000000000000018596Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:49.769{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8507775ED81A7E4B74D323226718996,SHA256=AF933818572FBA333E557CF45A7A24D4A18CF3CB67B557FB80DE7E56EC60CB34,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000018595Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:49.675{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000018594Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:49.675{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000018593Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:49.675{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000018592Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:49.675{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d76872-0xd864b556) 13241300x800000000000000018591Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:49.675{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000018590Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:49.675{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000018589Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:49.613{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DED4FA48834C6E07FFC9E02AB952E6CB,SHA256=4FB7E4E68F195F09F1A329C873F8EFC1BEFE5FB7A97119F766F8E576D7464361,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018588Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:49.114{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045116C:\Windows\system32\svchost.exe{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018587Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:49.035{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A101-60D3-4D02-00000000CF01}6736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018586Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:49.004{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A101-60D3-4D02-00000000CF01}6736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018585Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:49.004{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A101-60D3-4D02-00000000CF01}6736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018598Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:50.773{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDBB3A76A414B1743CFB797AE29AD07,SHA256=CE0DF58307D5CE4D94F7AC0C9A7ECDAF6697636CBF37E7028379143406190E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018608Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.775{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98545893EEE27FE848971B20B4E59690,SHA256=A3615C478C3D480CE408EEB059321D4122294E6451C46DB9C0B18D6E53056555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018607Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.382{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A103-60D3-4F02-00000000CF01}5828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018606Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.367{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A103-60D3-4F02-00000000CF01}5828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018605Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.367{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A103-60D3-4F02-00000000CF01}5828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018604Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.257{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A103-60D3-4E02-00000000CF01}3288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018603Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.242{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A103-60D3-4E02-00000000CF01}3288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018602Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.242{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A103-60D3-4E02-00000000CF01}3288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018601Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.148{4DB9351A-A101-60D3-4D02-00000000CF01}6736NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\YNJ5Y7CR6Q\System.Data.Services.ni.dll.auxMD5=628794C4BA7C0332A79627521E7770FF,SHA256=298A377CAB1149A4C5951216FE43079AB9BE75225D12035097981768370ABF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018600Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.148{4DB9351A-A101-60D3-4D02-00000000CF01}6736NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\YNJ5Y7CR6Q\System.Data.Services.ni.dllMD5=0225BB103AF450817FA0687A90E5A6AA,SHA256=CE4E6F3E72ECC35AC039BF4851176D0BD50D5B464DDFB1E71F37D2898A5B5936,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018599Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:51.070{4DB9351A-A101-60D3-4D02-00000000CF01}6736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a50-0\System.Data.Services.dll2021-06-23 21:00:51.070 10341000x800000000000000018616Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.997{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A104-60D3-5002-00000000CF01}3140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018615Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.966{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A104-60D3-5002-00000000CF01}3140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018614Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.966{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A104-60D3-5002-00000000CF01}3140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018613Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.900{4DB9351A-A103-60D3-4F02-00000000CF01}5828NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2XX8TX0L53\System.Data.Services.Client.ni.dll.auxMD5=80C12FF623F435CCE201475529881E66,SHA256=4AE338683CED4CA6481991CB55B56BB8474103956E0363D22D9B8194F0E07859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018612Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.899{4DB9351A-A103-60D3-4F02-00000000CF01}5828NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2XX8TX0L53\System.Data.Services.Client.ni.dllMD5=090BD3E6F0B259F7B8F40DDE8E399EC4,SHA256=BDC81D5D3794EBAE332F10E7F900D52F34700853CB583AC31A66DFA58D893347,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018611Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:52.850{4DB9351A-A103-60D3-4F02-00000000CF01}5828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\16c4-0\System.Data.Services.Client.dll2021-06-23 21:00:52.850 23542300x800000000000000018610Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.782{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4727AF1CE8735CBE554ACFC1CCAF232,SHA256=31A4029E13D74206A7A05C309FF4A28E8202A277CD6A8BB251624039B7A0E566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018609Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.275{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F919D971E9800840397957901801919,SHA256=22FAD660063B10354D2C0B653EEDB426EB87FFE19FC302CBEB5E1342AD473948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018637Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.942{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF0BA121FD5E6B8B9C1D6C2145AA5DE,SHA256=EB3FD89E7C480391C5B9D99225C93EB4154A3157C687987D972EDDC3658C2B5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018636Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A105-60D3-5302-00000000CF01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018635Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018634Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018633Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018632Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018631Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A105-60D3-5302-00000000CF01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018630Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A105-60D3-5302-00000000CF01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018629Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.756{4DB9351A-A105-60D3-5302-00000000CF01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018628Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.512{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A105-60D3-5202-00000000CF01}2680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018627Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.497{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=824E816D346F3775C86749BF8AB3D05D,SHA256=15F002204801D7A1BFB023CE1E6665CF102242A4CF5828A3643D0981FBCC288D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018626Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.497{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A105-60D3-5202-00000000CF01}2680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018625Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.497{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A105-60D3-5202-00000000CF01}2680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018624Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A105-60D3-5102-00000000CF01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018623Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018622Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018621Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018620Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018619Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A105-60D3-5102-00000000CF01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018618Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A105-60D3-5102-00000000CF01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018617Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.076{4DB9351A-A105-60D3-5102-00000000CF01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018659Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.942{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E306665E7A78252212AF3211137CFE,SHA256=505BF1A1CE41A0C13AE17EE79E003C09358BE6EEAB1B06FA81BDEF49B858BD86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018658Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A106-60D3-5602-00000000CF01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018657Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018656Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018655Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018654Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018653Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A106-60D3-5602-00000000CF01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018652Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A106-60D3-5602-00000000CF01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018651Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-A106-60D3-5602-00000000CF01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018650Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.582{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE0F1AED3C4A1D6D71220BC01A90AC7B,SHA256=011F8599F63EEF42144DFABA45E8C22F73E7D2DF2F8AE1E940FA0ACCE458FEE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018649Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.410{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A106-60D3-5502-00000000CF01}5348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018648Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.410{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A106-60D3-5502-00000000CF01}5348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018647Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.410{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A106-60D3-5502-00000000CF01}5348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018646Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.332{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A106-60D3-5402-00000000CF01}6556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018645Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.317{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A106-60D3-5402-00000000CF01}6556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018644Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.317{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A106-60D3-5402-00000000CF01}6556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018643Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.270{4DB9351A-A105-60D3-5202-00000000CF01}2680NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DPLOQ2F3NB\System.Data.Services.Design.ni.dll.auxMD5=2FCC4AC9B0011F923926BCF702C0F7BD,SHA256=69FE0DE1BB84C452FA0CE0B788148210434E36B35AF778AED6C6E89D176B11D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018642Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.270{4DB9351A-A105-60D3-5202-00000000CF01}2680NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DPLOQ2F3NB\System.Data.Services.Design.ni.dllMD5=26EBF1FBCCC03F5532D89A8296952D7D,SHA256=C12A1AD925C0E3ACA1CC9F23E34C3F18F5D7E80232174784FC4EB12FD7003C44,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018641Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:54.239{4DB9351A-A105-60D3-5202-00000000CF01}2680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a78-0\System.Data.Services.Design.dll2021-06-23 21:00:54.239 10341000x800000000000000018640Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.020{4DB9351A-A105-60D3-5302-00000000CF01}39366908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018639Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.547{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61362-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000018638Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.547{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61362-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 23542300x800000000000000018669Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.989{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01601F3499F4F63AC9F5C649913B54BA,SHA256=4A71B0B2BBB2DD85BF36CCC3716D4F74B5129B1BA63A5C49E4C24AA9B1510C69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018668Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A107-60D3-5702-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018667Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018666Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018665Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018664Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018663Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A107-60D3-5702-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018662Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A107-60D3-5702-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018661Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.911{4DB9351A-A107-60D3-5702-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018660Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.739{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EF989A4B6FA379B3EF353D0B28DA102,SHA256=F66ABEC05BB09553700CE205D2A80216425BC9B42952CF47A5618EE9CBDE6BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018682Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.989{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718621DEA45A155FD4827D2299D4CCFC,SHA256=82621D9DB83BA949268CFEAE75A3E912C35C1EAC13C7EF047CAE10E9641E226F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018681Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.926{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9D6A824080961D491B7392EF2A01696,SHA256=4DBB577C942662B2B3CF6BD30E3D0C60DC912DA925410AA5E6517F0FA7D179A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018680Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.676{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A108-60D3-5902-00000000CF01}3604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018679Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.660{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A108-60D3-5902-00000000CF01}3604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018678Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.660{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A108-60D3-5902-00000000CF01}3604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018677Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.551{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A108-60D3-5802-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018676Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.535{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A108-60D3-5802-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018675Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.535{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A108-60D3-5802-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018674Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.442{4DB9351A-A106-60D3-5502-00000000CF01}5348NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6N8DZP7DQ8\System.Data.SqlXml.ni.dll.auxMD5=2F85D73C550080ED183D8FF605BFD519,SHA256=CF53B900A1A1BAD58ED8DC32017757C9E09C3626BAFCA2600C5985167D8F15CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018673Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.442{4DB9351A-A106-60D3-5502-00000000CF01}5348NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6N8DZP7DQ8\System.Data.SqlXml.ni.dllMD5=9DC2547A52F82899F1458EA52F21C610,SHA256=E99B344179FED7E9FBBE6BE54B8C59E31C32CEA64F40722CA8E9A1DF315674C0,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018672Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:56.379{4DB9351A-A106-60D3-5502-00000000CF01}5348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14e4-0\System.Data.SqlXml.dll2021-06-23 21:00:56.379 10341000x800000000000000018671Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.192{4DB9351A-A107-60D3-5702-00000000CF01}34921328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018670Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.199{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61363-false10.0.1.12-8000- 10341000x800000000000000018691Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.676{4DB9351A-A109-60D3-5A02-00000000CF01}65684720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018690Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A109-60D3-5A02-00000000CF01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018689Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018688Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018687Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018686Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018685Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A109-60D3-5A02-00000000CF01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018684Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A109-60D3-5A02-00000000CF01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018683Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.146{4DB9351A-A109-60D3-5A02-00000000CF01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018712Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.582{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A10A-60D3-5D02-00000000CF01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018711Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.567{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A10A-60D3-5D02-00000000CF01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018710Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.567{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A10A-60D3-5D02-00000000CF01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000018709Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:58.442{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76872-0xdd9e6a45) 10341000x800000000000000018708Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.270{4DB9351A-A10A-60D3-5B02-00000000CF01}30207028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018707Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.223{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A10A-60D3-5C02-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018706Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.207{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A10A-60D3-5C02-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018705Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.207{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A10A-60D3-5C02-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018704Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.145{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B10253114124B93D6A97F6404BEAC6E,SHA256=D440714C5AC223D64D664A3541FF542550244F6271D7AE33ACA7F62CEF860511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018703Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.114{4DB9351A-A108-60D3-5902-00000000CF01}3604NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OH4V91O7SE\System.Deployment.ni.dll.auxMD5=04E371113A68F37EC6E50CDD89393E66,SHA256=23273344BBEC508C1A0FF721BD6F0B1C3EF922539B8C6111A0CD9D00BA0E94B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018702Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.114{4DB9351A-A108-60D3-5902-00000000CF01}3604NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OH4V91O7SE\System.Deployment.ni.dllMD5=DD75C8F1ACEA1E0D27218C74B2B5BF44,SHA256=27C3D42E97041608FDF3A77B76C1A28A2A52D5AAE3807A64780C5622F7CF2BF4,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018701Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:58.067{4DB9351A-A108-60D3-5902-00000000CF01}3604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e14-0\System.Deployment.dll2021-06-23 21:00:58.067 10341000x800000000000000018700Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A10A-60D3-5B02-00000000CF01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018699Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018698Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018697Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018696Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018695Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A10A-60D3-5B02-00000000CF01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018694Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A10A-60D3-5B02-00000000CF01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018693Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.054{4DB9351A-A10A-60D3-5B02-00000000CF01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018692Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.004{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACE52486ED9F1CFFE337C1732B0A22D,SHA256=1D15C7BDF43B58AC9C8FA14010735CF0A8C288DF7C92B0BDFA0DD734FE2BDA10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018722Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.787{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A10B-60D3-5E02-00000000CF01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018721Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.787{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018720Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.787{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018719Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.787{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018718Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.787{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018717Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.771{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A10B-60D3-5E02-00000000CF01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018716Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.771{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A10B-60D3-5E02-00000000CF01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018715Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.772{4DB9351A-A10B-60D3-5E02-00000000CF01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018714Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.365{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD24E775ED5F7F4C0AE2FAD68A65A59B,SHA256=58980F914A9D39F68ED4FC7C3187F17B2D3DC6E33F3CF1D4A67975D02B825E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018713Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.021{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0071B5EE8BF91FE76A357B7B3559986C,SHA256=37670B8E904008361E8E1444B447E1E013EE26BBDB49F6978C84EDD6F42732D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018724Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:00.787{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DFD5006FF91862D137B422F36EF263C,SHA256=D69F9FAB26FBE579F9414415A195BE594448CED6A379F52C9D0EC8CAFB35B598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018723Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:00.037{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49EB91084852FCD1C2551E7507E78A9,SHA256=C436E76538D9B08914853620884CFC1AC12941CD6866C6B72D107440ADE95EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018725Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:01.084{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34515AB3878B8EB2ABAE4C1128A5E6D,SHA256=6F709DDAB09975D8BCCEC465F238320C30DCDD54C9925B78F40CD4B311737899,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018727Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:00.216{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61364-false10.0.1.12-8000- 23542300x800000000000000018726Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:02.099{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDA80344BE493817CBE36EC1421CE6F,SHA256=BF6129A1C4AFBA6F35B44049BB0F7904E94C34E61EF10D808B606AD841013D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018728Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:03.115{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD78A392DA940A99AC15BC6AB6698303,SHA256=52917F598EA05D292BCB5F8635DBFD26BAE1413AC9F617EAA80E09CC4813B000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018732Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:04.896{4DB9351A-A10A-60D3-5D02-00000000CF01}4276NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HER0Y5XJ3W\System.Design.ni.dll.auxMD5=D7A0DAF439CBF822EF1F0FC519546D22,SHA256=ECD2438DFCD947364F742B17816F9E98069B290C1B6C7B1A5B513C0EFACA4EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018731Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:04.896{4DB9351A-A10A-60D3-5D02-00000000CF01}4276NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HER0Y5XJ3W\System.Design.ni.dllMD5=E0F70BDE57A9C3BCB0376363B612D788,SHA256=C8F6F5B03BBA740EADFF096F78189CE7F631C15B1569A23BDA7904397D815BD9,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018730Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:04.568{4DB9351A-A10A-60D3-5D02-00000000CF01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10b4-0\System.Design.dll2021-06-23 21:01:04.568 23542300x800000000000000018729Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:04.130{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5F6DC6A9744CCFEE7A54FD7BACCD83,SHA256=AEFCA3A50A672316A4A6C5E534D413ED84ECD73654A55C9B7EEAEA852522E3FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018748Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.615{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A111-60D3-6202-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018747Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.599{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A111-60D3-6202-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018746Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.599{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A111-60D3-6202-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018745Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.490{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A111-60D3-6102-00000000CF01}5968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018744Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.474{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A111-60D3-6102-00000000CF01}5968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018743Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.474{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A111-60D3-6102-00000000CF01}5968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018742Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.412{4DB9351A-A111-60D3-6002-00000000CF01}7096NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\M3891CDO3Z\System.Device.ni.dll.auxMD5=931650146A6264DC138938B4E3D779AD,SHA256=3046C50E9EBE5BEF8F843FCBEFB229D5EB561E890114C52EB442B67D70CB4E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018741Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.412{4DB9351A-A111-60D3-6002-00000000CF01}7096NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\M3891CDO3Z\System.Device.ni.dllMD5=0D4F1813E61D936C5381B2FB80324E4A,SHA256=8ADB33FAFE0738CF075429939409C98BB69A760F340207401161A7F1BAA34FB7,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018740Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:05.396{4DB9351A-A111-60D3-6002-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bb8-0\System.Device.dll2021-06-23 21:01:05.396 10341000x800000000000000018739Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.255{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A111-60D3-6002-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018738Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.240{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A111-60D3-6002-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018737Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.240{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A111-60D3-6002-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018736Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.177{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A111-60D3-5F02-00000000CF01}1272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018735Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.162{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA008A97FD4757539672B12AF53956D3,SHA256=DA93F8572177ED4EAA7C0243E704766A76C5B04C0F2FCA3B0600477F746E2056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018734Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.162{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A111-60D3-5F02-00000000CF01}1272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018733Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.162{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A111-60D3-5F02-00000000CF01}1272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018762Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.927{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A112-60D3-6502-00000000CF01}5972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018761Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.912{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A112-60D3-6502-00000000CF01}5972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018760Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.912{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A112-60D3-6502-00000000CF01}5972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000018759Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:06.818{4DB9351A-A112-60D3-6402-00000000CF01}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a34-0\System.DirectoryServices.Protocols.dll2021-06-23 21:01:06.818 10341000x800000000000000018758Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.505{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A112-60D3-6402-00000000CF01}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018757Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.490{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A112-60D3-6402-00000000CF01}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018756Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.490{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A112-60D3-6402-00000000CF01}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018755Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.458{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A112-60D3-6302-00000000CF01}7056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018754Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.443{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A112-60D3-6302-00000000CF01}7056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018753Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.443{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A112-60D3-6302-00000000CF01}7056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000018752Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:06.334{4DB9351A-A111-60D3-6202-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1938-0\System.DirectoryServices.AccountManagement.dll2021-06-23 21:01:06.334 23542300x800000000000000018751Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.193{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA66E568C78539D1DCBA78CA1A52346,SHA256=5888D361A70356278123103898ECD862249390ABB703E4AE2249BF731CF9C6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018750Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.193{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48454BAAD86B4A530261B08E34B69F92,SHA256=0366A2923568DA7305658EFD241FD8F856FA70CD7CA236F204EE68BB6CF06388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018749Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.193{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AA6C477B8AA3CEABB9B47B2C92D7C28,SHA256=696909B6828627DACB90C6C3A8307D82B2C29BFA50311724B871DC4E9C4774CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018783Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.912{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A113-60D3-6902-00000000CF01}7128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018782Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.896{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A113-60D3-6902-00000000CF01}7128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018781Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.896{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A113-60D3-6902-00000000CF01}7128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018780Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.849{4DB9351A-A113-60D3-6802-00000000CF01}7136NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I7LZTBZVX2\System.Dynamic.ni.dll.auxMD5=EE1BC091F8771CA0B35329CBAE54A5A2,SHA256=B681B6E8204DC1FE095A6E03FE0984BD1589052088CDB17ECADFCDE32343641B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018779Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.849{4DB9351A-A113-60D3-6802-00000000CF01}7136NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I7LZTBZVX2\System.Dynamic.ni.dllMD5=BB8DB5D69A750295C217A48CBDFB1AC3,SHA256=AC12CE15CD82AD1C5D614EE6E16495C3FD361188A9F49E2998A784E3EDC2F4AF,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018778Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:07.818{4DB9351A-A113-60D3-6802-00000000CF01}7136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1be0-0\System.Dynamic.dll2021-06-23 21:01:07.818 10341000x800000000000000018777Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.568{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A113-60D3-6802-00000000CF01}7136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018776Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.552{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A113-60D3-6802-00000000CF01}7136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018775Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.552{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A113-60D3-6802-00000000CF01}7136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018774Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.230{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61365-false10.0.1.12-8000- 23542300x800000000000000018773Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.474{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48454BAAD86B4A530261B08E34B69F92,SHA256=0366A2923568DA7305658EFD241FD8F856FA70CD7CA236F204EE68BB6CF06388,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018772Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.474{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A113-60D3-6702-00000000CF01}2080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018771Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.427{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A113-60D3-6702-00000000CF01}2080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018770Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.427{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A113-60D3-6702-00000000CF01}2080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018769Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.349{4DB9351A-A113-60D3-6602-00000000CF01}5480NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IZQO2GMGH6\System.Drawing.Design.ni.dll.auxMD5=B19345322480F2E2BC4B763604F979F8,SHA256=6E607CA83CF2BDC4EB083F3BBE7C01821B0F87EE4619AEB6A433B2F854BB0EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018768Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.349{4DB9351A-A113-60D3-6602-00000000CF01}5480NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IZQO2GMGH6\System.Drawing.Design.ni.dllMD5=170CEFCBC68C8C437037E15CC4F6A3B6,SHA256=6BCC8F8B2A7C9D4CB3F9AB6039AF749F103B72B2F489A1DFAADC2B17CC4F6AB0,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018767Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:07.318{4DB9351A-A113-60D3-6602-00000000CF01}5480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1568-0\System.Drawing.Design.dll2021-06-23 21:01:07.318 23542300x800000000000000018766Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.287{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678BDF99AA8D0216EC8090758F3B39D4,SHA256=0847FAD8B0FDBF6862077AA3B5CA3690251B5532BD080A1F4A6AEEC7E0777A89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018765Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.021{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A113-60D3-6602-00000000CF01}5480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018764Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.005{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A113-60D3-6602-00000000CF01}5480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018763Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.005{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A113-60D3-6602-00000000CF01}5480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018796Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.880{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A114-60D3-6B02-00000000CF01}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018795Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.849{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A114-60D3-6B02-00000000CF01}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018794Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.849{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A114-60D3-6B02-00000000CF01}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018793Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.755{4DB9351A-A113-60D3-6A02-00000000CF01}2796NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NEWXW0B0CP\System.EnterpriseServices.Wrapper.dllMD5=A08AC30FD2DA1C8BE3C3C7BE75FDFD2B,SHA256=B237D98A0720E6FB5071AB148FA81D23A66973B402EF83E32DF6EF8435E4934C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000018792Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.740{4DB9351A-A113-60D3-6A02-00000000CF01}2796NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NEWXW0B0CP\System.EnterpriseServices.ni.dll.auxMD5=03159FDC9862F6EB36FF8B4040583B3E,SHA256=69B0577DCFCFD3B2FE87531F5A6B36A19CFD883AD7AF1CF98ED84B27DDA87086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018791Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.740{4DB9351A-A113-60D3-6A02-00000000CF01}2796NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NEWXW0B0CP\System.EnterpriseServices.ni.dllMD5=0F00677E276218902156F50628C49B68,SHA256=1773C9D95983AD253B4BE80D98218CBA784B945690BC5379CBF5C882A1E2E55E,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018790Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:08.724{4DB9351A-A113-60D3-6A02-00000000CF01}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\aec-0\System.EnterpriseServices.dll2021-06-23 21:01:08.724 11241100x800000000000000018789Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:08.693{4DB9351A-A113-60D3-6A02-00000000CF01}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\aec-0\System.EnterpriseServices.Wrapper.dll2021-06-23 21:01:08.693 23542300x800000000000000018788Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.568{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5430EAB9002892D66C93F23E9FC9EC24,SHA256=E7E348B921D2545DDCBEE777A8DA9F6B0C7BB6C55B0CDACF79FD18CF9AFCA486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018787Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.318{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22FFAB9F05CCB5B5A0D1965A89C1CD9,SHA256=FE820BBFF00CB6DAE3DD5833A4B0BA4D6EED5A3925DE903F3F957A291358BB10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018786Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.005{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A113-60D3-6A02-00000000CF01}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018785Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.990{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A113-60D3-6A02-00000000CF01}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018784Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.990{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A113-60D3-6A02-00000000CF01}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018801Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:09.849{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C31B43822F8CC6329A01760371CB7902,SHA256=7FCCA36761F2D8F6C648617AF9004845DF02F955CEDE10178A43D1E36B29E244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018800Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:09.333{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC0E0C56E8AC2F914852241DB8C7B4E,SHA256=A42A77F65533611B85123BE100F5158AC24355E7CA2CE1D868EB972A0B6B79A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018799Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:09.021{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A115-60D3-6C02-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018798Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:09.021{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A115-60D3-6C02-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018797Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:09.021{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A115-60D3-6C02-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018802Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:10.451{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A80D7DCF5F498B9F9FAD4395D612FA,SHA256=BC5347BBD1F1E7ED1F8C8EA362447998BCD9D6DFD2F1FAA4EFB5B3414E77E9E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018816Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.764{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A117-60D3-6F02-00000000CF01}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018815Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.748{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A117-60D3-6F02-00000000CF01}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018814Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.748{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A117-60D3-6F02-00000000CF01}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018813Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.685{4DB9351A-A117-60D3-6E02-00000000CF01}6528NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZO7T9PAIOP\System.IdentityModel.Selectors.ni.dll.auxMD5=680522C65915FDF66DB847EF6302A49D,SHA256=CEBE8F735B000BA8FB3C3BB0504CDF928926EB2215144F1B20AD4734073F2E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018812Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.685{4DB9351A-A117-60D3-6E02-00000000CF01}6528NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZO7T9PAIOP\System.IdentityModel.Selectors.ni.dllMD5=7EACED69AC81CB1F4E3FA510A32FA803,SHA256=0C4E0B80295320F20F278D3DC28C4BE907390706EA77F47C06B1B8473B84911D,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018811Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:11.670{4DB9351A-A117-60D3-6E02-00000000CF01}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1980-0\System.IdentityModel.Selectors.dll2021-06-23 21:01:11.670 10341000x800000000000000018810Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.514{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A117-60D3-6E02-00000000CF01}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018809Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.514{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A117-60D3-6E02-00000000CF01}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018808Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.514{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A117-60D3-6E02-00000000CF01}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018807Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.467{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E6691A52A8B2645E58B44D693A2F11,SHA256=921302E3918CE592BE3CC1591831A93E0C43299C089F316EA19D87934DABDA9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018806Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.451{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A117-60D3-6D02-00000000CF01}6340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018805Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.420{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A117-60D3-6D02-00000000CF01}6340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018804Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.420{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A117-60D3-6D02-00000000CF01}6340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000018803Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:11.264{4DB9351A-A115-60D3-6C02-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d04-0\System.IdentityModel.dll2021-06-23 21:01:11.264 10341000x800000000000000018829Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.982{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A118-60D3-7202-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018828Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.982{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A118-60D3-7202-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018827Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.935{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A118-60D3-7102-00000000CF01}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018826Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.810{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A118-60D3-7102-00000000CF01}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018825Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.810{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A118-60D3-7102-00000000CF01}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018824Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.748{4DB9351A-A118-60D3-7002-00000000CF01}2488NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MK72N7MKAF\System.IdentityModel.Services.ni.dll.auxMD5=EC9C6938573CD6D8514C7FC8438E194C,SHA256=35D4B02BEE6A7DE743A6FAB8EB1789C908205A40558485460317CF278EAEC728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018823Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.748{4DB9351A-A118-60D3-7002-00000000CF01}2488NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MK72N7MKAF\System.IdentityModel.Services.ni.dllMD5=896A28ACF0EF806B08D429DBA9278B4A,SHA256=A7070A7EB8BDE8EA912D8A8365AB348B34AF5361B1D7895791A19D8FE3502779,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018822Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:12.732{4DB9351A-A118-60D3-7002-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9b8-0\System.IdentityModel.Services.dll2021-06-23 21:01:12.732 23542300x800000000000000018821Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.482{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBA36FFFE11D484FE2725311FCD8461,SHA256=8FBC9D3B6C9844348A04A588DF3BF570EB95D66FFDF60E6F1C26A91E71F9F038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018820Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.451{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9165B1BE20FEEE7A9D5C6C638B23FC1C,SHA256=F8E47A1E827215668FAF4C2FAE2210F06550BFE8B04CBFF5E695056DE75D11FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018819Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.248{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A118-60D3-7002-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018818Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.232{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A118-60D3-7002-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018817Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.232{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A118-60D3-7002-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018858Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.951{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A119-60D3-7702-00000000CF01}5368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018857Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.935{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A119-60D3-7702-00000000CF01}5368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018856Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.935{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A119-60D3-7702-00000000CF01}5368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018855Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.920{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3536E67CBB8190F3D69DD783CE2C9A27,SHA256=1C7593A87843C1D388E44F18CBA6AB5F60231167C31370CA2CE4F135A3D652A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018854Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.920{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8D1398813CA59C43A37F2D765D3065,SHA256=83B2B4DD82E99C16E5E5024CFEF135DD2090D55DE115C567F255D2A6CDCFA437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018853Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.889{4DB9351A-A119-60D3-7602-00000000CF01}6560NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\XKJ6YM5P50\System.IO.Log.ni.dll.auxMD5=CE65A2402E061BB0465D2243764EFE2C,SHA256=0D93BFCF26F7D342E7B5C13A107999A710E6D5368AA70F451D024220670459A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018852Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.873{4DB9351A-A119-60D3-7602-00000000CF01}6560NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\XKJ6YM5P50\System.IO.Log.ni.dllMD5=BDAAB6BC4AE780AD58A6E2B386E2D3E0,SHA256=418B6BBB4FA6584A301392357020DB41F0A80451463ABD6DECACE994766D9C54,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018851Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:13.857{4DB9351A-A119-60D3-7602-00000000CF01}6560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19a0-0\System.IO.Log.dll2021-06-23 21:01:13.857 354300x800000000000000018850Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.238{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61366-false10.0.1.12-8000- 10341000x800000000000000018849Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.498{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045116C:\Windows\system32\svchost.exe{4DB9351A-9F2B-60D3-C600-00000000CF01}4680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018848Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.482{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A119-60D3-7602-00000000CF01}6560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018847Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.467{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A119-60D3-7602-00000000CF01}6560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018846Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.467{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A119-60D3-7602-00000000CF01}6560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018845Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.389{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A119-60D3-7502-00000000CF01}1300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018844Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.357{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A119-60D3-7502-00000000CF01}1300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018843Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.357{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A119-60D3-7502-00000000CF01}1300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018842Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.310{4DB9351A-A119-60D3-7402-00000000CF01}4212NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IXZJUAZS00\System.IO.Compression.FileSystem.ni.dll.auxMD5=C3619F644B362A732D4B8842CCC8A32C,SHA256=95942D0894A2CC324E1CB8F5F7EBE423815A70CDD44D45324187BEFAC0546CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018841Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.310{4DB9351A-A119-60D3-7402-00000000CF01}4212NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IXZJUAZS00\System.IO.Compression.FileSystem.ni.dllMD5=33E71CB28D694FFD2DB44FBEF03DB6D4,SHA256=0861B01F7978CD2847D6FDEB601B42DCE5A713D4371A377E9DEE25FC54C4093F,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018840Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:13.295{4DB9351A-A119-60D3-7402-00000000CF01}4212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1074-0\System.IO.Compression.FileSystem.dll2021-06-23 21:01:13.295 10341000x800000000000000018839Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.264{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A119-60D3-7402-00000000CF01}4212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018838Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.248{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A119-60D3-7402-00000000CF01}4212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018837Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.248{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A119-60D3-7402-00000000CF01}4212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018836Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.217{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A119-60D3-7302-00000000CF01}512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018835Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.201{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A119-60D3-7302-00000000CF01}512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018834Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.201{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A119-60D3-7302-00000000CF01}512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018833Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.154{4DB9351A-A118-60D3-7202-00000000CF01}6484NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4N5TI9IFGX\System.IO.Compression.ni.dll.auxMD5=8E3686E20F605642B2A7B2D208BE351E,SHA256=81D27D767CEB7C0FB68AE9E08315EC3C265B60AFD7AFFD33EE0026F6149207A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018832Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.154{4DB9351A-A118-60D3-7202-00000000CF01}6484NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4N5TI9IFGX\System.IO.Compression.ni.dllMD5=CC23BA4E1FEB8DD4EB60BCF24BA1EEA4,SHA256=FC308ED44CA7558556986DD93D57D67FED7D702F8A4B5642C20BC4821E5A58FB,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018831Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:13.139{4DB9351A-A118-60D3-7202-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1954-0\System.IO.Compression.dll2021-06-23 21:01:13.139 10341000x800000000000000018830Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.998{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A118-60D3-7202-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018875Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.982{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50F3E54B93FB5C5B245530886056FEC8,SHA256=AA11029E0DDF19400283A2BE9072B7165080A266C122F0C8A55134692AF693D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018874Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.748{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11A-60D3-7B02-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018873Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.732{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A11A-60D3-7B02-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018872Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.732{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11A-60D3-7B02-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018871Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.732{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9AA2187869CE1EFBD05AD5B2282CAA,SHA256=6EC5A37C104CC72881BC73EF78F23108B81E8C73B871A1503A764A390D14D6FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018870Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.685{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11A-60D3-7A02-00000000CF01}2236C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018869Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.685{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11A-60D3-7A02-00000000CF01}2236C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018868Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.685{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11A-60D3-7A02-00000000CF01}2236C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018867Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.623{4DB9351A-A11A-60D3-7902-00000000CF01}3492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LKIJ6N3X9W\System.Management.Instrumentation.ni.dll.auxMD5=3D5CBC515E35F8F7E363B002528517F0,SHA256=8FD1AFA9C6E8813BC31FA5AB1ADBF5476FABDA3CABC4FC88CDAF4C51C2B378A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018866Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.623{4DB9351A-A11A-60D3-7902-00000000CF01}3492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LKIJ6N3X9W\System.Management.Instrumentation.ni.dllMD5=5EB656CE52B16A317C7CF53B3B6E2131,SHA256=51EC98739C5B189FF84F3358A09D1D002B956FCCEBEE7F8CB35EFB7C011C4A5C,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018865Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:14.607{4DB9351A-A11A-60D3-7902-00000000CF01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\da4-0\System.Management.Instrumentation.dll2021-06-23 21:01:14.607 10341000x800000000000000018864Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.389{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11A-60D3-7902-00000000CF01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018863Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.373{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11A-60D3-7902-00000000CF01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018862Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.373{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11A-60D3-7902-00000000CF01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018861Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.310{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11A-60D3-7802-00000000CF01}5140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018860Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.295{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11A-60D3-7802-00000000CF01}5140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018859Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.295{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11A-60D3-7802-00000000CF01}5140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018905Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.904{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11B-60D3-8102-00000000CF01}7020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018904Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.904{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11B-60D3-8102-00000000CF01}7020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018903Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.904{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11B-60D3-8102-00000000CF01}7020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018902Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.857{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11B-60D3-8002-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018901Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.842{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11B-60D3-8002-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018900Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.842{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11B-60D3-8002-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018899Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.795{4DB9351A-A11B-60D3-7F02-00000000CF01}3656NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\7ENBCLX6YT\System.Net.Http.WebRequest.ni.dll.auxMD5=504853C28422844FC7509FFA96E52CA9,SHA256=53815D7F51C00EF70A7ABAE2D25FDF7062426642C18C095E713F5D16D98AF5D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018898Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.795{4DB9351A-A11B-60D3-7F02-00000000CF01}3656NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\7ENBCLX6YT\System.Net.Http.WebRequest.ni.dllMD5=1E63037F7416695E734762C5DBBE6929,SHA256=CA07D8FC2F9834B56770B119201E35AB97A97D2178C16EC81A60CD4CF4B41011,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000018897Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.795{4DB9351A-9DDB-60D3-0B00-00000000CF01}628NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=861E2074A54ACE92E0D7764F2EBC2E68,SHA256=AF5176FA16B0F48B5D355A1B7C9F0933E8B98C089F1CFCCCAA9D2735DEE3D866,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000018896Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:15.795{4DB9351A-A11B-60D3-7F02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e48-0\System.Net.Http.WebRequest.dll2021-06-23 21:01:15.795 23542300x800000000000000018895Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.795{4DB9351A-9DDB-60D3-0B00-00000000CF01}628NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=595F47A7B05E23A5F6060F0F4BB3716E,SHA256=1C755D4845DC45A3D77C8F8E47353B2700174C9BFB57B883899FC274744AD2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018894Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.764{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3474C857098CA46AA1D5BA7C2C26D8F8,SHA256=14139E67F4AC703AF97B2558CC44B25FA5FFD21A953B4947BDF5136EE4130A7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018893Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.748{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11B-60D3-7F02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018892Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.748{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A11B-60D3-7F02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018891Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.748{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11B-60D3-7F02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018890Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.701{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11B-60D3-7E02-00000000CF01}1080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018889Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.685{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11B-60D3-7E02-00000000CF01}1080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018888Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.685{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11B-60D3-7E02-00000000CF01}1080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018887Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.623{4DB9351A-A11B-60D3-7D02-00000000CF01}2536NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\85LYOGT8IU\System.Net.ni.dll.auxMD5=9B0174DFB6E63E3BA23B1440E9E50A4E,SHA256=38BDBF0ADC5D46FBA26989747CB3C97FB0278961D993131D4F88288075B80A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018886Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.623{4DB9351A-A11B-60D3-7D02-00000000CF01}2536NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\85LYOGT8IU\System.Net.ni.dllMD5=26CD332634E040FA786C5691506B4366,SHA256=A61744EAB77DC7829352DA5318C8EB1B3B51159F43AE56806226006CBF72DE19,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018885Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:15.607{4DB9351A-A11B-60D3-7D02-00000000CF01}2536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9e8-0\System.Net.dll2021-06-23 21:01:15.607 10341000x800000000000000018884Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.342{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11B-60D3-7D02-00000000CF01}2536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018883Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.326{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11B-60D3-7D02-00000000CF01}2536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018882Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.326{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11B-60D3-7D02-00000000CF01}2536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018881Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.185{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11B-60D3-7C02-00000000CF01}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018880Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.170{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A11B-60D3-7C02-00000000CF01}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018879Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.170{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11B-60D3-7C02-00000000CF01}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018878Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.123{4DB9351A-A11A-60D3-7B02-00000000CF01}6892NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8X6BRPO3U6\System.Messaging.ni.dll.auxMD5=60C1E905E22120D976121EF5738ED442,SHA256=54D4DA40B3148DEBD43E6A22E3B9C5B2A28B231BC43BBB22EE94A9DE683EDACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018877Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.123{4DB9351A-A11A-60D3-7B02-00000000CF01}6892NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8X6BRPO3U6\System.Messaging.ni.dllMD5=93836605808A835064C0F896A6BEA90B,SHA256=C2CE62779710EF3C2D2D2690D970F219B84DE490C92AEC2376257F8DE59EC5EE,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018876Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:15.092{4DB9351A-A11A-60D3-7B02-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1aec-0\System.Messaging.dll2021-06-23 21:01:15.092 354300x800000000000000018920Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.833{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61368-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local49666- 354300x800000000000000018919Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.833{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61368-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local49666- 354300x800000000000000018918Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.832{4DB9351A-9DDD-60D3-0D00-00000000CF01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61367-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 354300x800000000000000018917Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.832{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61367-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 23542300x800000000000000018916Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.764{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2751FA361AC61CB8EB32D995AB168E0,SHA256=E9B9A3CFA74065A5B89220FE4D757C9412608011997587A5365A25EEF2726654,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018915Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.623{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11C-60D3-8302-00000000CF01}6252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018914Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.607{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11C-60D3-8302-00000000CF01}6252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018913Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.607{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11C-60D3-8302-00000000CF01}6252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018912Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.217{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC55F17659CC1B143E3536111B4FF39D,SHA256=E410B5CF5F0ADD0FDC1D25D6F00F681FF0A03C8F0E01F0FA9458068CF340F8E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018911Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.170{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11C-60D3-8202-00000000CF01}7000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018910Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.154{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11C-60D3-8202-00000000CF01}7000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018909Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.154{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11C-60D3-8202-00000000CF01}7000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018908Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.107{4DB9351A-A11B-60D3-8102-00000000CF01}7020NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MUVBO6CEG4\System.Numerics.ni.dll.auxMD5=90107E341C19D3117700EA484B28F25B,SHA256=B2539461BFCF88012F3ABFA57261F693D6B4EE7C20D5D41C3E7A8447FFB50D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018907Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.107{4DB9351A-A11B-60D3-8102-00000000CF01}7020NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MUVBO6CEG4\System.Numerics.ni.dllMD5=AB61CB545A9DC24A8ED57E1F509C2486,SHA256=9749BAAA95919E74765F39646D85EA7C1C151F77E0BCF564C0C8D603C45E4B3D,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018906Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:16.092{4DB9351A-A11B-60D3-8102-00000000CF01}7020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b6c-0\System.Numerics.dll2021-06-23 21:01:16.092 10341000x800000000000000018954Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.982{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11D-60D3-8702-00000000CF01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018953Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.982{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11D-60D3-8702-00000000CF01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018952Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.935{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11D-60D3-8602-00000000CF01}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018951Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.920{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11D-60D3-8602-00000000CF01}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018950Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.920{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11D-60D3-8602-00000000CF01}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018949Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.857{4DB9351A-A11D-60D3-8502-00000000CF01}5648NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JKO6Q1HCHQ\System.Reflection.Context.ni.dll.auxMD5=5C47900FF167EB523C27C73B02811BBD,SHA256=C24E3DCA6E4F7BA73CEE71B59EDF9B6AAC5B3102BA2BB32136D4E263A3FA72E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018948Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.857{4DB9351A-A11D-60D3-8502-00000000CF01}5648NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JKO6Q1HCHQ\System.Reflection.Context.ni.dllMD5=E4DA61B682A05A204B50B410C15A57AB,SHA256=0302FC9D8E6E766D55212EF2009D46616ADB91748DCF42C299807389B89F9227,IMPHASH=00000000000000000000000000000000truetrue 22542200x800000000000000018947Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.856{4DB9351A-9DDB-60D3-0B00-00000000CF01}628_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x800000000000000018946Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.855{4DB9351A-9DDB-60D3-0B00-00000000CF01}628_ldap._tcp.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x800000000000000018945Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.853{4DB9351A-9DDB-60D3-0B00-00000000CF01}628ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x800000000000000018944Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.851{4DB9351A-9DDB-60D3-0B00-00000000CF01}628_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x800000000000000018943Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.850{4DB9351A-9DDB-60D3-0B00-00000000CF01}628_ldap._tcp.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 354300x800000000000000018942Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.849{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local57688- 354300x800000000000000018941Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.847{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local50944- 354300x800000000000000018940Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.847{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local55455- 354300x800000000000000018939Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.845{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local58662- 22542200x800000000000000018938Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.848{4DB9351A-9DDB-60D3-0B00-00000000CF01}628DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 354300x800000000000000018937Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.844{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local56995- 354300x800000000000000018936Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.844{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local60447- 354300x800000000000000018935Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.843{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local49962- 354300x800000000000000018934Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.841{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local49381- 354300x800000000000000018933Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.840{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local60254- 11241100x800000000000000018932Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:17.827{4DB9351A-A11D-60D3-8502-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1610-0\System.Reflection.Context.dll2021-06-23 21:01:17.827 23542300x800000000000000018931Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.764{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795337EBBF5956EA10B0D4333B6509DE,SHA256=918DF28B54007E38945DE7955F48C0688741BF067C660706D2E829556BD05042,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018930Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.685{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11D-60D3-8502-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018929Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.654{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11D-60D3-8502-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018928Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.654{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11D-60D3-8502-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018927Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.623{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37A60AB4E97412AAC8E10D46F55076CF,SHA256=965038EBEDD0749C0FE877CCD4C20B948F130A5368E71E36F8F7C3C6C02B3FD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018926Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.576{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11D-60D3-8402-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018925Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.560{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11D-60D3-8402-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018924Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.560{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11D-60D3-8402-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018923Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.498{4DB9351A-A11C-60D3-8302-00000000CF01}6252NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\W56GVWCW12\System.Printing.ni.dll.auxMD5=BE8FE718251EAC27EF18D851C78DC7F3,SHA256=656706A64AB7CCBF3D83BB132148CE8C16B25FD3BF900B5A4BC7F0E5CCC00989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018922Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.482{4DB9351A-A11C-60D3-8302-00000000CF01}6252NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\W56GVWCW12\System.Printing.ni.dllMD5=9EC159AC4980BFE3FACF498EECB48BE4,SHA256=E29D2F08161C92B0C8B6728525B26665B7FA76E1D88BBEE9BAB000A287071BB4,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018921Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:17.451{4DB9351A-A11C-60D3-8302-00000000CF01}6252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\186c-0\System.Printing.dll2021-06-23 21:01:17.451 23542300x800000000000000018977Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.951{4DB9351A-A11E-60D3-8B02-00000000CF01}7156NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\68REWFTSHZ\System.Runtime.Serialization.Formatters.Soap.ni.dll.auxMD5=14728FE0E93419D5570911F529CC7DC3,SHA256=DBE1E91C843CEE9832808D1A2FB5DB2FAB6137638AB0F9779774F28098153F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018976Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.951{4DB9351A-A11E-60D3-8B02-00000000CF01}7156NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\68REWFTSHZ\System.Runtime.Serialization.Formatters.Soap.ni.dllMD5=AED35C076E2447686C44DA0B77BED8B9,SHA256=CABF23415564A6C8FC20BF381B7D6722918DFC22E84951F9D10BB0895E340B68,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018975Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:18.935{4DB9351A-A11E-60D3-8B02-00000000CF01}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bf4-0\System.Runtime.Serialization.Formatters.Soap.dll2021-06-23 21:01:18.935 10341000x800000000000000018974Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.717{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11E-60D3-8B02-00000000CF01}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018973Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.701{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11E-60D3-8B02-00000000CF01}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018972Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.701{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11E-60D3-8B02-00000000CF01}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018971Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.670{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11E-60D3-8A02-00000000CF01}4584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018970Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.670{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06B20C8535856BAFFD4E16B85B33D615,SHA256=BC625020BD847E7CB99FE5C7CB5D26884F5B54F24E05167678339675D2AD9C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018969Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.654{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11E-60D3-8A02-00000000CF01}4584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018968Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.654{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11E-60D3-8A02-00000000CF01}4584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018967Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.607{4DB9351A-A11E-60D3-8902-00000000CF01}5592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\R8C4ULFFWB\System.Runtime.DurableInstancing.ni.dll.auxMD5=DEDE93EF02B00C1EC460CE8546A9E1BD,SHA256=919C998D2DE521B98CE32469DF82AD630BDB4AD97E97FF7AA5B7E9909220F8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018966Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.592{4DB9351A-A11E-60D3-8902-00000000CF01}5592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\R8C4ULFFWB\System.Runtime.DurableInstancing.ni.dllMD5=63B25CAB80B7979234AE6E59094BD551,SHA256=25DED5BC1D407EDDA0564ED913BED34EFD40B592757CCD01BA49837F662D1B00,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018965Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:18.576{4DB9351A-A11E-60D3-8902-00000000CF01}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15d8-0\System.Runtime.DurableInstancing.dll2021-06-23 21:01:18.576 10341000x800000000000000018964Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.326{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11E-60D3-8902-00000000CF01}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018963Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.310{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11E-60D3-8902-00000000CF01}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018962Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.310{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11E-60D3-8902-00000000CF01}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018961Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.248{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11E-60D3-8802-00000000CF01}216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018960Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.232{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11E-60D3-8802-00000000CF01}216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018959Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.232{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11E-60D3-8802-00000000CF01}216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018958Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.185{4DB9351A-A11D-60D3-8702-00000000CF01}5544NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0DSCRF6YH1\System.Runtime.Caching.ni.dll.auxMD5=F796378188C5CE8116835381A819120B,SHA256=C8AE9BBAA0B3A23F6D9456055BB0CE11583CC362E46DD318FBD7247D45BE9C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018957Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.185{4DB9351A-A11D-60D3-8702-00000000CF01}5544NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0DSCRF6YH1\System.Runtime.Caching.ni.dllMD5=D02EC327DB634B2F264668E78C834445,SHA256=0FD17BC2A1911A06806803AAD97B65677DF475D0D3A002AC713253FF3ADE7615,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018956Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:18.170{4DB9351A-A11D-60D3-8702-00000000CF01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15a8-0\System.Runtime.Caching.dll2021-06-23 21:01:18.170 10341000x800000000000000018955Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.998{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11D-60D3-8702-00000000CF01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018992Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.951{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37894A1A84B7B8270DB203E9D801584,SHA256=BF751FDEF59EE44DCB0E4014DF7F4752F7E65CE9FB73787CC06747B6526E4AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018991Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.920{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAC0D3D6704C27B074D9279AA1CA1E90,SHA256=4AEBB3FEACCB4937456FB83AFB8AD60DF3B2E94B9EAF0F1D3462C1DA0CB6D9CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018990Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.763{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11F-60D3-8E02-00000000CF01}1268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018989Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.748{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11F-60D3-8E02-00000000CF01}1268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018988Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.748{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11F-60D3-8E02-00000000CF01}1268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018987Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.685{4DB9351A-A11F-60D3-8D02-00000000CF01}7108NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RCGOPZ2UF0\System.Security.ni.dll.auxMD5=7C2D1E993C4D34C13A652BAAB81CFCA0,SHA256=C6706940A2E53CFBEEDCF292BD421E97F2337143BB54A87183CD10A21DA869F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018986Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.685{4DB9351A-A11F-60D3-8D02-00000000CF01}7108NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RCGOPZ2UF0\System.Security.ni.dllMD5=4844641A15F302B35F8081D78C27A951,SHA256=BC1E5C710E4E2C689E9BFB424C0AB85224A3145230E54BBBC8A91559640BA350,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018985Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:19.670{4DB9351A-A11F-60D3-8D02-00000000CF01}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bc4-0\System.Security.dll2021-06-23 21:01:19.670 23542300x800000000000000018984Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.123{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434F3EF6B193B8AE99ED86B746F8349C,SHA256=69D3AE5220DD3F1DD54A6C77C637FB8B604A4BBA57EEBBB1BFF7C2C3BBD63B87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018983Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.076{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11F-60D3-8D02-00000000CF01}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018982Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.076{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11F-60D3-8D02-00000000CF01}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018981Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.076{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11F-60D3-8D02-00000000CF01}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018980Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.029{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11F-60D3-8C02-00000000CF01}6412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018979Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.013{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11F-60D3-8C02-00000000CF01}6412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018978Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.013{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11F-60D3-8C02-00000000CF01}6412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019005Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.857{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A120-60D3-9102-00000000CF01}5720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019004Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.842{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A120-60D3-9102-00000000CF01}5720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019003Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.842{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A120-60D3-9102-00000000CF01}5720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019002Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.748{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A120-60D3-9002-00000000CF01}6744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019001Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.748{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A120-60D3-9002-00000000CF01}6744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019000Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.748{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A120-60D3-9002-00000000CF01}6744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018999Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.685{4DB9351A-A120-60D3-8F02-00000000CF01}7120NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RKOWJUDZ0G\System.ServiceModel.Activation.ni.dll.auxMD5=EF191DB9F47755D77A9F1708A8128A2B,SHA256=B7AADD292E0F22889CD7BABB11B84A6AC7AC615EBA615D39A7221D0313DE90C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018998Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.685{4DB9351A-A120-60D3-8F02-00000000CF01}7120NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RKOWJUDZ0G\System.ServiceModel.Activation.ni.dllMD5=306B2DCDC0C5280863865518E935B0E2,SHA256=BBC6BBCCA350173D6B5E27C3688D33656A65D1253551A9EA801B27FB277A16B8,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018997Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:20.654{4DB9351A-A120-60D3-8F02-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bd0-0\System.ServiceModel.Activation.dll2021-06-23 21:01:20.654 354300x800000000000000018996Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.207{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61369-false10.0.1.12-8000- 10341000x800000000000000018995Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.013{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A120-60D3-8F02-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018994Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.013{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A120-60D3-8F02-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018993Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.013{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A120-60D3-8F02-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019007Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:21.045{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DE28A2619B24D19CA6CDBA02173FB8E,SHA256=9388D4454883862FCB06D0591FDBC86AC0E2DA6141133D56C0800BCA92FDE948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019006Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:21.013{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E9EA65DC4DCD1A415EEB67E57256A7,SHA256=C821A1814E46686C80CBCF0BA6B514A98FE98AEB4539E7752C80422B5F0BD30E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019018Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:22.951{4DB9351A-A122-60D3-9302-00000000CF01}7100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bbc-0\System.ServiceModel.Channels.dll2021-06-23 21:01:22.951 10341000x800000000000000019017Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.607{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A122-60D3-9302-00000000CF01}7100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019016Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.592{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A122-60D3-9302-00000000CF01}7100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019015Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.592{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A122-60D3-9302-00000000CF01}7100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019014Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.482{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A122-60D3-9202-00000000CF01}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019013Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.467{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A122-60D3-9202-00000000CF01}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019012Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.467{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A122-60D3-9202-00000000CF01}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019011Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.342{4DB9351A-A120-60D3-9102-00000000CF01}5720NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JHHCQ7B43U\System.ServiceModel.Activities.ni.dll.auxMD5=DDB7231C3CE9AA4F6403B03F18570455,SHA256=BF05B11C53EC462BA62BC4466C6DF20FA8230702A3B6FB012AB3BE2BD68B43BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019010Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.342{4DB9351A-A120-60D3-9102-00000000CF01}5720NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JHHCQ7B43U\System.ServiceModel.Activities.ni.dllMD5=4B411016CB3BBCD0A89F1D6D7A568E9B,SHA256=E5E2C8D503534AFF936493D2EDA30D0602BD4FCA8D0526C31B029E6405DFB5A6,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019009Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:22.279{4DB9351A-A120-60D3-9102-00000000CF01}5720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1658-0\System.ServiceModel.Activities.dll2021-06-23 21:01:22.279 23542300x800000000000000019008Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.029{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3822E1236529F4B7451C9513E2B8833,SHA256=9F85CD1A67086299B254C8BA03E247E79657A4C32BD06B72BD053D74D9F4FE78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019032Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.920{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A123-60D3-9602-00000000CF01}6988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019031Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.888{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A123-60D3-9602-00000000CF01}6988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019030Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.888{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A123-60D3-9602-00000000CF01}6988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019029Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.810{4DB9351A-A123-60D3-9502-00000000CF01}2488NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NORY0L6TLS\System.ServiceModel.Discovery.ni.dll.auxMD5=9464ED6AA1A915927FA940EDB6ED8748,SHA256=660A0947C8208EF55CC5B4CF6CFB7F01915903A481AF426A4C3DFA87C26771BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019028Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.810{4DB9351A-A123-60D3-9502-00000000CF01}2488NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NORY0L6TLS\System.ServiceModel.Discovery.ni.dllMD5=ACDEF191C255DA8ED7C0B5D99D5A644B,SHA256=8F2B92894F272F7841A7AC452BC42702C594B6A135B8DDD3DD81E1CEA52C506B,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019027Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:23.763{4DB9351A-A123-60D3-9502-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9b8-0\System.ServiceModel.Discovery.dll2021-06-23 21:01:23.763 23542300x800000000000000019026Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.513{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7E858A2828DB53AB0F8D43D99B292E1,SHA256=2B8A3812DF73EA27BC3DA30082BE3680A44E2AC0E1FD7BDF82E93A56467E9671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019025Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.185{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A123-60D3-9502-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019024Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.170{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A123-60D3-9502-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019023Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.170{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A123-60D3-9502-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019022Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.060{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E264715E59A65040000A66D38127D06,SHA256=3E7DD6AAFE7F33B80FC4D7CB4A35A8A88317D5C6C15E43EA69C44F4F33D6FB21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019021Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.029{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A123-60D3-9402-00000000CF01}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019020Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.013{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A123-60D3-9402-00000000CF01}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019019Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.013{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A123-60D3-9402-00000000CF01}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019044Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.888{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBFBEF63DDF9C8401ACC2D1947EB06C6,SHA256=06C1BE728E12D137FF7C78D88099784DEDA484623649153224AC4950A76D1CF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019043Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.623{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A124-60D3-9902-00000000CF01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019042Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.607{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A124-60D3-9902-00000000CF01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019041Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.607{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A124-60D3-9902-00000000CF01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019040Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.513{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A124-60D3-9802-00000000CF01}3936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019039Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.498{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A124-60D3-9802-00000000CF01}3936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019038Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.498{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A124-60D3-9802-00000000CF01}3936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000019037Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:24.435{4DB9351A-A124-60D3-9702-00000000CF01}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1320-0\System.ServiceModel.Internals.dll2021-06-23 21:01:24.435 23542300x800000000000000019036Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.076{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33C943E4A21920C3865EE41C386FC9D,SHA256=6F3C9E36A5277A22A55B9E5A2F8469EB0E3A651C1AE4A9985CCB897728F414FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019035Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.029{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A124-60D3-9702-00000000CF01}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019034Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.013{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A124-60D3-9702-00000000CF01}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019033Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.013{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A124-60D3-9702-00000000CF01}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019064Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.810{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A125-60D3-9D02-00000000CF01}6688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019063Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.795{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A125-60D3-9D02-00000000CF01}6688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019062Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.795{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A125-60D3-9D02-00000000CF01}6688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019061Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.576{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A125-60D3-9C02-00000000CF01}7052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019060Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.545{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A125-60D3-9C02-00000000CF01}7052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019059Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.545{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A125-60D3-9C02-00000000CF01}7052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019058Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.482{4DB9351A-A125-60D3-9B02-00000000CF01}3124NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SYOQN7FWVU\System.ServiceModel.ServiceMoniker40.ni.dll.auxMD5=F7D2DA09880009CEE209A5E6132DC95A,SHA256=1F19BB77CFD7D0BA0365D2A19DB333943FEE1915A932E8E44FA2081D7D7C26BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019057Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.467{4DB9351A-A125-60D3-9B02-00000000CF01}3124NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SYOQN7FWVU\System.ServiceModel.ServiceMoniker40.ni.dllMD5=9C3B7229DE892683DBBDCDDEB5504A91,SHA256=81DED4C7957EE9B782B68DDCD48344A04ADE00CC8D6FE2EAD1C7F24011139987,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019056Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:25.467{4DB9351A-A125-60D3-9B02-00000000CF01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c34-0\System.ServiceModel.ServiceMoniker40.dll2021-06-23 21:01:25.467 10341000x800000000000000019055Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.404{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A125-60D3-9B02-00000000CF01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019054Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.389{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A125-60D3-9B02-00000000CF01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019053Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.389{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A125-60D3-9B02-00000000CF01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019052Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.326{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A125-60D3-9A02-00000000CF01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019051Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.295{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A125-60D3-9A02-00000000CF01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019050Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.295{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A125-60D3-9A02-00000000CF01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019049Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.217{4DB9351A-A124-60D3-9902-00000000CF01}6496NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3DXV08NAXP\System.ServiceModel.Routing.ni.dll.auxMD5=5B74D3B5B6CF28167CB5B5DB782F2F04,SHA256=9D27FAF0F2F8B4D262A8F93AA1E4AC1056E97C865650ADB9B03C62D44BAF2D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019048Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.217{4DB9351A-A124-60D3-9902-00000000CF01}6496NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3DXV08NAXP\System.ServiceModel.Routing.ni.dllMD5=E985EAF11F8A3E299BE07A6432BA5ED9,SHA256=242EAF7F1091B190ADCAABD139305B55874E9EE3A077C9CED6C215D04B0CBD29,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019047Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:25.185{4DB9351A-A124-60D3-9902-00000000CF01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1960-0\System.ServiceModel.Routing.dll2021-06-23 21:01:25.185 23542300x800000000000000019046Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.108{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B59624244A9A41DD92B9D7CBF088A30,SHA256=408D4821A7BFA504DFAAC61AE147CED7A691174AF3E3911FE200649F2A260D22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019045Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.254{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61370-false10.0.1.12-8000- 23542300x800000000000000019067Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:26.373{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B3564D82C12574DF176791531653150,SHA256=D8F64918D9CB4EB43F33A4539EA0D86E064F3E2B527B96F10A99D0CBE9EBA721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019066Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:26.123{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3362F23C02546713C7A6463466A2900,SHA256=AB85E57E63003ACE25046607D1D28230085427ADD7F40421C4B615D6511F16F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019065Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:26.092{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=995D70667FAEDD4D62AC8349DFFD80AD,SHA256=4CF96CBEA7A392090C4CFAD4488929835428B273E1632ACC933EAB8C836E478B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019075Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.717{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A127-60D3-9F02-00000000CF01}6968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019074Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.701{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A127-60D3-9F02-00000000CF01}6968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019073Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.701{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A127-60D3-9F02-00000000CF01}6968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019072Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.560{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A127-60D3-9E02-00000000CF01}6568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019071Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.545{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A127-60D3-9E02-00000000CF01}6568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019070Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.545{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A127-60D3-9E02-00000000CF01}6568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000019069Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:27.420{4DB9351A-A125-60D3-9D02-00000000CF01}6688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a20-0\System.ServiceModel.Web.dll2021-06-23 21:01:27.420 23542300x800000000000000019068Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.154{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9690E4B4A571DF815994BDB1CA5FE6,SHA256=BDA0D8ACD25D12B4F56FD4672801A0B0E7580EE395DDDD4DA2C2720824C7B790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019080Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:28.920{4DB9351A-A127-60D3-9F02-00000000CF01}6968NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CXT5AL39J0\System.Speech.ni.dll.auxMD5=E6E3B69558422B846620014F4B4BDEF9,SHA256=D9BB2FD2E5905509168777C231A579DFAB24E1A8E1E4F7FBBAA4A2357574DB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019079Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:28.920{4DB9351A-A127-60D3-9F02-00000000CF01}6968NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CXT5AL39J0\System.Speech.ni.dllMD5=707DF04B3DBB37B911D91E9EF789D44E,SHA256=26AB4B98729C63EFAC8E1FA8C2570571F22AF9345E904460823DD709C1127152,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019078Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:28.873{4DB9351A-A127-60D3-9F02-00000000CF01}6968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b38-0\System.Speech.dll2021-06-23 21:01:28.873 23542300x800000000000000019077Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:28.685{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACF4D608EA9D30DB2ECE1851642FC224,SHA256=A9AD08C4C236BA50A2197F63080C5024E1F189007E02851B3B302C940591B330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019076Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:28.263{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911CA334AB6F5E15B416C70A7730FFA7,SHA256=BA69D8590E95DAB595B628CBAD78287955418C0C6F267E9AA180403D8E9FD341,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019087Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.310{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A129-60D3-A102-00000000CF01}4836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019086Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.310{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A129-60D3-A102-00000000CF01}4836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019085Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.310{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A129-60D3-A102-00000000CF01}4836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019084Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.263{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF3F49A06D35FCD71E78E416BC477C4,SHA256=2CB8B90B1B5661100C32CA9C307BCD6474B377315260F836F2C944B585454AAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019083Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.045{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A129-60D3-A002-00000000CF01}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019082Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.015{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A129-60D3-A002-00000000CF01}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019081Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.015{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A129-60D3-A002-00000000CF01}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000019090Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.113{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61371-false10.0.1.12-8000- 23542300x800000000000000019089Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:30.290{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA90B499592C15B48454FC861053F1B0,SHA256=AD3FFF68BC8F2712F22B9F2450DB98C151F684E012FCC203A79C9654E8E87B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019088Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:30.040{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F4A3344DE59AFACEBDF71CA840DAC95,SHA256=6B05E2AC8457147E4733F2BE8B2A829791A6E1A92B2619F5335E35A5E81A3EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019091Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:31.322{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=160F70019BF6FA8B91C853FA93D150F4,SHA256=FE6EDCA3121178B99DCB882E0288A9896B0F758873AD494F8BE40B26DB7C12A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019092Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:32.337{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEA06C12F0AFC43A600F8C3114D6EFE,SHA256=D1ACBA40FE92C5B770B2FBC44E7DCF51EDCC86DBCF5962303F1CE922169FAC3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019093Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:33.353{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D352DCAF9FB89DBDE2B42445509BBB2F,SHA256=6B33A0F158DA500CC523DB215626ED300DE4D7CD374900FC98F24E08B494BDD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019094Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:34.369{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CF86F6C2CF209FAA2DA029C7B71C6A,SHA256=790D3FBB36A747897F2FB18ABE4A125EFA1C38930226111BD68103E5921C1E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019095Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:35.415{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8058AFA6B19836C24F59F5D624DBFC40,SHA256=5211539FF81EF24C39ADD4F35434321C4511E9295084A093B42736BE456C046E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019098Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:36.853{4DB9351A-A129-60D3-A102-00000000CF01}4836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12e4-0\System.Web.dll2021-06-23 21:01:36.853 354300x800000000000000019097Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:35.125{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61372-false10.0.1.12-8000- 23542300x800000000000000019096Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:36.415{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5BFBC2E4A7A79813EC1BAA1B5B110A,SHA256=8E94EAD2B15EDFB9E34CDB0841BBAF605042A4F7169A4CD1E5A6EE4484B70545,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019116Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.962{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A131-60D3-A502-00000000CF01}6424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019115Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.947{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A131-60D3-A502-00000000CF01}6424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019114Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.947{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A131-60D3-A502-00000000CF01}6424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019113Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.915{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A131-60D3-A402-00000000CF01}4592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019112Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.900{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A131-60D3-A402-00000000CF01}4592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019111Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.900{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A131-60D3-A402-00000000CF01}4592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019110Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.853{4DB9351A-A131-60D3-A302-00000000CF01}5804NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GMT7Y5YGDN\System.Web.Abstractions.ni.dll.auxMD5=AA12FB15CD84FE22BF84E10CE38D7B76,SHA256=A4703406C4CAC95E82DE00395AC1A5319B8FCEED28FE01A44E3D0B2270DDA9A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019109Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.853{4DB9351A-A131-60D3-A302-00000000CF01}5804NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GMT7Y5YGDN\System.Web.Abstractions.ni.dllMD5=548842E659EBDC1404A4C1C8EBE6E83C,SHA256=870B6C8418F6F920A88A86D2582C7D1B06113086F6E5EC91DFB5108977C2E7BF,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019108Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:37.837{4DB9351A-A131-60D3-A302-00000000CF01}5804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\16ac-0\System.Web.Abstractions.dll2021-06-23 21:01:37.837 10341000x800000000000000019107Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.822{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A131-60D3-A302-00000000CF01}5804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019106Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.806{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A131-60D3-A302-00000000CF01}5804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019105Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.806{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A131-60D3-A302-00000000CF01}5804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019104Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.681{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A131-60D3-A202-00000000CF01}6304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019103Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.665{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A131-60D3-A202-00000000CF01}6304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019102Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.665{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A131-60D3-A202-00000000CF01}6304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019101Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.447{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F9031C47B2BC1A7AEC124A4D24804C,SHA256=DE7AFEE0E95B026674D30C7EAB9409D82457F92E078F85913913CB522210242D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019100Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.243{4DB9351A-A129-60D3-A102-00000000CF01}4836NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EDK0AXEBI5\System.Web.ni.dll.auxMD5=F8AD7C55BD73001D2ABBFD25A56FDF57,SHA256=3F7C57298CF04770828EB9AAF75691E752FD9B2B59E36C2C9308BB5DA3A688C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019099Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.243{4DB9351A-A129-60D3-A102-00000000CF01}4836NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EDK0AXEBI5\System.Web.ni.dllMD5=A5967BB34924692D20292BA544BBB6CB,SHA256=E409F1536D700E1552B833EF490C9BB3FA846B0B4AF376B920034BB2F9E6ED5C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019128Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.665{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7625E9E47EA07A5B0CA004BCAE284B8F,SHA256=E44148852265361BA7A3100DFF5338EC7485EF4C0E8E8559D4BC9A13A82CD2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019127Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.665{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=830044ADB3561456754B8276CECA896E,SHA256=E22A5C07E167DE6C5785BC48B9FD76A7A190380CA691E414C7A9D626E553F9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019126Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.447{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7BE60F3E22DDE81B8A98A0C8A1B63C,SHA256=927D979FF5F1035224BDB7462D4AB7F5E6351A155B77434586B5AEC331BAB585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019125Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.368{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A132-60D3-A702-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019124Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.353{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A132-60D3-A702-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019123Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.353{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A132-60D3-A702-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019122Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.134{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A132-60D3-A602-00000000CF01}4784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019121Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.118{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A132-60D3-A602-00000000CF01}4784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019120Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.118{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A132-60D3-A602-00000000CF01}4784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019119Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.056{4DB9351A-A131-60D3-A502-00000000CF01}6424NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\UHSZBK3EFO\System.Web.ApplicationServices.ni.dll.auxMD5=D9CBD86D572568560F63592AC4C45C93,SHA256=7B7E84C37B8A3F6D2AA3AE51921EA5D6595579658118B997E8252C545220DDF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019118Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.056{4DB9351A-A131-60D3-A502-00000000CF01}6424NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\UHSZBK3EFO\System.Web.ApplicationServices.ni.dllMD5=286C07A028634A73B9FFB83E5247D444,SHA256=CAC8B2F728B72A35338483555779FD35703C7ADAA4166F45C887210275FA9059,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019117Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:38.040{4DB9351A-A131-60D3-A502-00000000CF01}6424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1918-0\System.Web.ApplicationServices.dll2021-06-23 21:01:38.040 23542300x800000000000000019130Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:39.447{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C42807AADE63F782DBB0DD6B2BFC5C,SHA256=08029F0CD6E600EF83350CEC3029D925533C746DC7C42BB94C6B1D211921838A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019129Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:39.056{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019132Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:39.093{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61373-false10.0.1.12-8089- 23542300x800000000000000019131Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:40.478{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024FB29C3FB4925F941012097FCFECCD,SHA256=56EEC5851366856F33317E70E36808AC26FE5151528BD90E5F25DB76724C1943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019146Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.948{4DB9351A-A135-60D3-A902-00000000CF01}5548NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KTCVD0RH5N\System.Web.DataVisualization.Design.ni.dll.auxMD5=ECD6113E5E6E7F270445B13107E3EE5F,SHA256=2F99FE05612470C6BD9010C190AF69512CD8D2425C3D050C930BB7791E6D990E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019145Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.948{4DB9351A-A135-60D3-A902-00000000CF01}5548NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KTCVD0RH5N\System.Web.DataVisualization.Design.ni.dllMD5=2CAB8D641662E975AB8E342F7012C92E,SHA256=217C870462F687C5E4C461BB3430D043AB2B53AB3E67679F2FDE5913DA5C528A,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019144Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:41.931{4DB9351A-A135-60D3-A902-00000000CF01}5548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15ac-0\System.Web.DataVisualization.Design.dll2021-06-23 21:01:41.931 354300x800000000000000019143Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:40.156{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61374-false10.0.1.12-8000- 10341000x800000000000000019142Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.697{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A135-60D3-A902-00000000CF01}5548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019141Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.681{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A135-60D3-A902-00000000CF01}5548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019140Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.681{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A135-60D3-A902-00000000CF01}5548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019139Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.587{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A135-60D3-A802-00000000CF01}4204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019138Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.572{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A135-60D3-A802-00000000CF01}4204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019137Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.572{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A135-60D3-A802-00000000CF01}4204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019136Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.478{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E186070E8391CB5F13932ED4C2228C4,SHA256=CF02946BDD9680E7B7404376E70073CC4EEC766D1C344CAE999EB917FB78B10F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019135Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.462{4DB9351A-A132-60D3-A702-00000000CF01}6456NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5JP8MHJSOD\System.Web.DataVisualization.ni.dll.auxMD5=DE2622A49A0D9055B93FD3BAF139D158,SHA256=AFCFB35EA94AC24E7AE8F1353CBC45E2501B51F2D32A8EFB5876A9D6AB82C9B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019134Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.462{4DB9351A-A132-60D3-A702-00000000CF01}6456NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5JP8MHJSOD\System.Web.DataVisualization.ni.dllMD5=FF1228BCF16D430D1112FAB270410537,SHA256=DA4850A9B5EAD8C28365CE1FACF4D74FBA5A403C59565C1ED835F978BD6818BF,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019133Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:41.386{4DB9351A-A132-60D3-A702-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1938-0\System.Web.DataVisualization.dll2021-06-23 21:01:41.368 23542300x800000000000000019154Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.728{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7625E9E47EA07A5B0CA004BCAE284B8F,SHA256=E44148852265361BA7A3100DFF5338EC7485EF4C0E8E8559D4BC9A13A82CD2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019153Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.525{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51A2A702F63BA4C7EBA42D0DA02B74B,SHA256=07B440D3E132CBED0E15FC59A9963205EC7351D39610494B94987BC0C4865C5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019152Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.306{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A136-60D3-AB02-00000000CF01}5300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019151Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.290{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A136-60D3-AB02-00000000CF01}5300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019150Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.275{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A136-60D3-AB02-00000000CF01}5300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019149Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.040{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A136-60D3-AA02-00000000CF01}6116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019148Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.025{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A136-60D3-AA02-00000000CF01}6116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019147Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.025{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A136-60D3-AA02-00000000CF01}6116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019155Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:43.665{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04970A851FC54FEF2AFFDAAA90F2BD5C,SHA256=0B830481E5740403BC5ADDC8F365CE55004748D5BBBB59FCF9590380C32DA8EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019171Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.978{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A138-60D3-AE02-00000000CF01}6772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019170Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.962{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A138-60D3-AE02-00000000CF01}6772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019169Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.962{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A138-60D3-AE02-00000000CF01}6772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019168Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.900{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A138-60D3-AD02-00000000CF01}2160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019167Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.884{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A138-60D3-AD02-00000000CF01}2160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019166Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.884{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A138-60D3-AD02-00000000CF01}2160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019165Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.822{4DB9351A-A138-60D3-AC02-00000000CF01}3836NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\N9MRKRGZ6I\System.Web.DynamicData.ni.dll.auxMD5=C22E91F150EDB4CD008D2BA33EF58E2E,SHA256=85F4BA0A6ABE1F9B527BB2BBDEC915FE6BDDD5C90E267B0C8A60A1F52A16AE25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019164Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.822{4DB9351A-A138-60D3-AC02-00000000CF01}3836NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\N9MRKRGZ6I\System.Web.DynamicData.ni.dllMD5=B78912A307E7BBA4F29DA437414DAF8A,SHA256=DF916CC92732377CD362D6C43ABD78C29B666A59FE4A76A0E5F4F0C7388C53BB,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019163Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:44.806{4DB9351A-A138-60D3-AC02-00000000CF01}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\efc-0\System.Web.DynamicData.dll2021-06-23 21:01:44.806 23542300x800000000000000019162Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.728{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6A662AAD1230828361BC218B87C3FF,SHA256=436E936045A90D2241BA5B8F7CA71C1F8443E8AF5E002D475EC5F1470E6FF528,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019161Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.259{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A138-60D3-AC02-00000000CF01}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019160Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.243{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A138-60D3-AC02-00000000CF01}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019159Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.243{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A138-60D3-AC02-00000000CF01}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019158Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.118{4DB9351A-A136-60D3-AB02-00000000CF01}5300NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G3H222JM0B\System.Web.Extensions.ni.dll.auxMD5=E8F4C36A4E6B40383EDA377A04AC3D80,SHA256=D26DEAE3EFF297F307D1DFEA752DA8C1138764F05CFF3BF2C4D1D6C483227224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019157Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.118{4DB9351A-A136-60D3-AB02-00000000CF01}5300NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G3H222JM0B\System.Web.Extensions.ni.dllMD5=82A7D13D9CDAECC5A12DAF807265050F,SHA256=7C2B3A8CF0A620E68934FC9E1DEE80B5309B281D686BDC02E85A8C2653BE4CCE,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019156Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:44.056{4DB9351A-A136-60D3-AB02-00000000CF01}5300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14b4-0\System.Web.Extensions.dll2021-06-23 21:01:44.056 11241100x800000000000000019192Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:45.978{4DB9351A-A139-60D3-B202-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1038-0\System.Web.Entity.Design.dll2021-06-23 21:01:45.978 23542300x800000000000000019191Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.900{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32CAE9B52967ABED30B97FB590A2759,SHA256=AD8FAAAB71131B3AF5F5FF0483DA1133ED8870320B7EC9F51162E9E3A25457DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019190Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.681{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A139-60D3-B202-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019189Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.665{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A139-60D3-B202-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019188Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.665{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A139-60D3-B202-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019187Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.572{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A139-60D3-B102-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019186Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.556{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A139-60D3-B102-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019185Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.556{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A139-60D3-B102-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019184Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.509{4DB9351A-A139-60D3-B002-00000000CF01}1176NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TWOG0IDEFR\System.Web.Entity.ni.dll.auxMD5=BE26495AB227F594D84D68CBF2C3996E,SHA256=4016A70C60F130994F91566D1054BD5848CBB0A2DB2870417479C85EC78BF26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019183Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.509{4DB9351A-A139-60D3-B002-00000000CF01}1176NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TWOG0IDEFR\System.Web.Entity.ni.dllMD5=3B0956C6DB4C8B4C84FB1ACEC6F041F3,SHA256=B8D128580B589C369B21125268220ACEDBAC552DE5411CF313F6B63D83CD3E3F,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019182Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:45.493{4DB9351A-A139-60D3-B002-00000000CF01}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\498-0\System.Web.Entity.dll2021-06-23 21:01:45.493 23542300x800000000000000019181Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.243{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E35AA0765AAF2A62DE4E6926DCCB348D,SHA256=4C363BA10FC44F487F10C2F0B79F58D7EF7D3C5241DD48EF70F262D53B314EF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019180Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.243{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A139-60D3-B002-00000000CF01}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019179Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.228{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A139-60D3-B002-00000000CF01}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019178Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.228{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A139-60D3-B002-00000000CF01}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019177Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.165{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A139-60D3-AF02-00000000CF01}6696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019176Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.150{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A139-60D3-AF02-00000000CF01}6696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019175Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.150{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A139-60D3-AF02-00000000CF01}6696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019174Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.072{4DB9351A-A138-60D3-AE02-00000000CF01}6772NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VBCPC7HHRJ\System.Web.DynamicData.Design.ni.dll.auxMD5=7411A37BE63B5304E6165D1602AC946D,SHA256=29C5CCE66171CD6180E387917A39CDBBA51C8949ABB58962D882BBEF2443E290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019173Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.056{4DB9351A-A138-60D3-AE02-00000000CF01}6772NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VBCPC7HHRJ\System.Web.DynamicData.Design.ni.dllMD5=DA77F7BC5C7BA3BA3DDBC63CA462B62D,SHA256=0465F7A0D59262458766B192A1E78632304161F2BE1738B512E205992FBFFB49,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019172Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:45.049{4DB9351A-A138-60D3-AE02-00000000CF01}6772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a74-0\System.Web.DynamicData.Design.dll2021-06-23 21:01:45.049 23542300x800000000000000019209Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.962{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050B23643C4DF58FE2EDE5C7C8F0DF23,SHA256=7F0D42BED428F8CAA87F0B528750EB3C38A7440D0762E31C52822CF29D849D16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019208Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.203{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61375-false10.0.1.12-8000- 23542300x800000000000000019207Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.947{4DB9351A-A13A-60D3-B502-00000000CF01}6592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EN8D4AZ5KR\System.Web.Extensions.Design.ni.dll.auxMD5=5C6EBD515D79DA98F180A67AD4F7C671,SHA256=5498841C007742257510FC1E67CC64F6DE5CB4099E96F36DA3262878E5508397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019206Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.947{4DB9351A-A13A-60D3-B502-00000000CF01}6592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EN8D4AZ5KR\System.Web.Extensions.Design.ni.dllMD5=562C4CB533828D09FD3D8B6C43166FD2,SHA256=EFEF7FD1E49CD41432D7677D7286BB9AE05409BED1573C38A840E414028F4849,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019205Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:46.915{4DB9351A-A13A-60D3-B502-00000000CF01}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19c0-0\System.Web.Extensions.Design.dll2021-06-23 21:01:46.915 23542300x800000000000000019204Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.556{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19130A299F05F60DD5B5E85E2D32EF09,SHA256=2C14829155FA473511EA3E52D1B895134345FA609EBCC7F6EDAD7A3DB013EB6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019203Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.368{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13A-60D3-B502-00000000CF01}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019202Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.353{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A13A-60D3-B502-00000000CF01}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019201Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.353{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13A-60D3-B502-00000000CF01}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019200Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.228{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13A-60D3-B402-00000000CF01}5328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019199Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.212{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A13A-60D3-B402-00000000CF01}5328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019198Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.212{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13A-60D3-B402-00000000CF01}5328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019197Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.088{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13A-60D3-B302-00000000CF01}5748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019196Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.056{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A13A-60D3-B302-00000000CF01}5748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019195Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.056{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13A-60D3-B302-00000000CF01}5748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019194Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.993{4DB9351A-A139-60D3-B202-00000000CF01}4152NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\X08IQRKSBG\System.Web.Entity.Design.ni.dll.auxMD5=0579001CA4D2CFCBB305EEB80FCC2F46,SHA256=49133F4237934A873AFFF09ECAD48B6C366D418508EE83420E1897C7703C90A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019193Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.993{4DB9351A-A139-60D3-B202-00000000CF01}4152NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\X08IQRKSBG\System.Web.Entity.Design.ni.dllMD5=8CE96DBC36476037D0ECA751F5CC8E77,SHA256=214D9DEE07FBD80A83B3903E57B0CAFE751B397B3EB9AD2321E36634633E28CA,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000019215Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.243{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13B-60D3-B702-00000000CF01}5332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019214Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.228{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A13B-60D3-B702-00000000CF01}5332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019213Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.228{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13B-60D3-B702-00000000CF01}5332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019212Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.040{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13B-60D3-B602-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019211Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.025{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A13B-60D3-B602-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019210Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.025{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13B-60D3-B602-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019218Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:48.993{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3414AE5086D6446D59DBDDFE3FCD075F,SHA256=E72793776B89A96EFBD50020BD07B87F33347D914765243438B873EF2E8548CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019217Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:48.025{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=604AC0A4F1B2AC6E3491DEB81405689A,SHA256=36CAB552AAF7F8ADF3EF34FE3A13720EBA57366EBE5C6729AAAD92912F0056DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019216Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.993{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146CF8B5EF679AA7B3A16920D0EC89F1,SHA256=DF89DB19384212C4560D9AF96ADDFDCE41571306F10E6FD899DDF339CDA9DB05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019233Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.978{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13D-60D3-BA02-00000000CF01}6584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019232Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.962{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A13D-60D3-BA02-00000000CF01}6584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019231Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.962{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13D-60D3-BA02-00000000CF01}6584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019230Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.915{4DB9351A-A13D-60D3-B902-00000000CF01}2580NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MUMQKUGBZ0\System.Web.RegularExpressions.ni.dll.auxMD5=6D25FFF148E58B1C53D70FC69B5EFC03,SHA256=D092EE4968BB6655A4510984C3519BA20A5569576971D3E089EA7C5A4BB55038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019229Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.915{4DB9351A-A13D-60D3-B902-00000000CF01}2580NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MUMQKUGBZ0\System.Web.RegularExpressions.ni.dllMD5=D6A39AF2473D520CC5245039E8BE0D4F,SHA256=39175B67801F1BF908C7A17F59DA9283F7EE011A5C9D516C977AEAA9F7AF133C,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019228Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:49.884{4DB9351A-A13D-60D3-B902-00000000CF01}2580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a14-0\System.Web.RegularExpressions.dll2021-06-23 21:01:49.884 10341000x800000000000000019227Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.618{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13D-60D3-B902-00000000CF01}2580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019226Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.603{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A13D-60D3-B902-00000000CF01}2580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019225Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.603{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13D-60D3-B902-00000000CF01}2580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019224Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.493{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13D-60D3-B802-00000000CF01}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019223Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.462{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A13D-60D3-B802-00000000CF01}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019222Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.462{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13D-60D3-B802-00000000CF01}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019221Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.368{4DB9351A-A13B-60D3-B702-00000000CF01}5332NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SLEL337AV3\System.Web.Mobile.ni.dll.auxMD5=68487768F816BFE51BCA07EDE4CA35A2,SHA256=643CE2C5A50097DE0A83C14AADE465C4A91DABA5842D2DB9223198EF4084F053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019220Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.353{4DB9351A-A13B-60D3-B702-00000000CF01}5332NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SLEL337AV3\System.Web.Mobile.ni.dllMD5=898E41E20ECA08304316809E65D3C8A5,SHA256=640EB6DD0E28C9DF72AEACCC55C934402BDD12705981D8A967D6B3A0DB369103,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019219Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:49.290{4DB9351A-A13B-60D3-B702-00000000CF01}5332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14d4-0\System.Web.Mobile.dll2021-06-23 21:01:49.290 23542300x800000000000000019247Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.467{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FE5BA6F8D44F4406FE38C2AC9D5E9A8,SHA256=CA8AA94931A2C17DB94AB064543D1B48F2B479FA1B9ADED41A10FE70BEE8690E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019246Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.326{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13E-60D3-BD02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019245Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.311{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A13E-60D3-BD02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019244Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.311{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13E-60D3-BD02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019243Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.186{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13E-60D3-BC02-00000000CF01}1100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019242Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.170{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A13E-60D3-BC02-00000000CF01}1100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019241Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.170{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13E-60D3-BC02-00000000CF01}1100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019240Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.123{4DB9351A-A13E-60D3-BB02-00000000CF01}6804NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TZ4VBGPN69\System.Web.Routing.ni.dll.auxMD5=F7421FA0247091CC0A59AA190EFB608E,SHA256=274EA93534F212080D2787844DC889D1FF8840892D1ADEEBE217AA8635705D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019239Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.123{4DB9351A-A13E-60D3-BB02-00000000CF01}6804NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TZ4VBGPN69\System.Web.Routing.ni.dllMD5=449832FC81F1948B6FFC6EE312D813CE,SHA256=8D61A280C3648D667B1A62555F9194460A0E74550951D6C661D103CD85675716,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019238Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:50.123{4DB9351A-A13E-60D3-BB02-00000000CF01}6804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a94-0\System.Web.Routing.dll2021-06-23 21:01:50.123 10341000x800000000000000019237Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.092{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13E-60D3-BB02-00000000CF01}6804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019236Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.077{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A13E-60D3-BB02-00000000CF01}6804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019235Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.077{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13E-60D3-BB02-00000000CF01}6804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019234Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.014{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0556017AD798A7AFF7066F1646FC4B,SHA256=FDE5C4D5055FDE1C5933BBB7F9E0C7CC13D12C662A497B7A604BDCCEF887F7CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019255Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:51.904{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13F-60D3-BE02-00000000CF01}2072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019254Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:51.889{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A13F-60D3-BE02-00000000CF01}2072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019253Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:51.889{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13F-60D3-BE02-00000000CF01}2072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000019252Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.270{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61376-false10.0.1.12-8000- 23542300x800000000000000019251Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:51.764{4DB9351A-A13E-60D3-BD02-00000000CF01}7064NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GXD62PDA5J\System.Windows.Controls.Ribbon.ni.dll.auxMD5=908C18AF620ED724F990F12D78B2EBE1,SHA256=DFC1347B5DD13D0B89D980C90B215030CE858DEC767A9436D72B3E0B97080871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019250Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:51.764{4DB9351A-A13E-60D3-BD02-00000000CF01}7064NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GXD62PDA5J\System.Windows.Controls.Ribbon.ni.dllMD5=16FDF0EA6960164B47EA7D418D2AA1FF,SHA256=1D7D581848DB3B20E6D1A183D35FE4457257C3167795798ACC5381D19A118585,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019249Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:51.701{4DB9351A-A13E-60D3-BD02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b98-0\System.Windows.Controls.Ribbon.dll2021-06-23 21:01:51.701 23542300x800000000000000019248Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:51.029{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9565B5E6F7DEB6D5E52FCD2F674C47,SHA256=1E4A9450D45AAB6D40357058067A7B7EF64EF5FD6435FD24650FB6F27190307B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019260Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.910{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36467C9CF229FBA77B6E3B535CAC95CF,SHA256=C62F1EFF7F6427B8C39E54EB59CD526CFF39006E5DEE4E2C38DFAAF9A2C0763D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019259Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.076{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A140-60D3-BF02-00000000CF01}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019258Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.061{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A140-60D3-BF02-00000000CF01}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019257Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.061{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A140-60D3-BF02-00000000CF01}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019256Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.061{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BB4EF97F59A3936C19B2D8D2D9F627,SHA256=9BF0D9BF19749207418602E55620C2A3C65F54FB2135AC1B2DD524F01D6EE0BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019280Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.942{4DB9351A-A141-60D3-C102-00000000CF01}53443656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000019279Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.568{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61377-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000019278Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.568{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61377-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 10341000x800000000000000019277Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A141-60D3-C102-00000000CF01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019276Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019275Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019274Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019273Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A141-60D3-C102-00000000CF01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019272Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019271Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A141-60D3-C102-00000000CF01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019270Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.709{4DB9351A-A141-60D3-C102-00000000CF01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019269Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.113{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8071EE411A2CAC55FE9B0B88F306CC08,SHA256=5C7B991FBAC822ED572D2F141D41EDFA380262216A4DFDEBE4E909784E50C339,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019268Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A141-60D3-C002-00000000CF01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019267Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019266Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019265Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019264Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019263Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A141-60D3-C002-00000000CF01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019262Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A141-60D3-C002-00000000CF01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019261Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.083{4DB9351A-A141-60D3-C002-00000000CF01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019299Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.945{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A142-60D3-C402-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019298Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.930{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A142-60D3-C402-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019297Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.930{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A142-60D3-C402-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019296Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.836{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A142-60D3-C302-00000000CF01}4476C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019295Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.820{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A142-60D3-C302-00000000CF01}4476C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019294Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.820{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A142-60D3-C302-00000000CF01}4476C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019293Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A142-60D3-C202-00000000CF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019292Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019291Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019290Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019289Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019288Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A142-60D3-C202-00000000CF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019287Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A142-60D3-C202-00000000CF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019286Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.743{4DB9351A-A142-60D3-C202-00000000CF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019285Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.695{4DB9351A-A140-60D3-BF02-00000000CF01}6980NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3LWIYI6FA7\System.Windows.Forms.DataVisualization.ni.dll.auxMD5=B1B375697DC08A94D27AEF3BEAE75A09,SHA256=573F7CB2B7B7B63F94F7C653797D6983894D6C9A4AD13F8C0A8953B203CF1D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019284Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.695{4DB9351A-A140-60D3-BF02-00000000CF01}6980NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3LWIYI6FA7\System.Windows.Forms.DataVisualization.ni.dllMD5=9156E23F2AFB70ECEEBF432384AF86BF,SHA256=093BE4FA0A2EFD66842621F0AD1480275BCC3E6C3BC5316BDC268B0DFF6F7E98,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019283Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:54.617{4DB9351A-A140-60D3-BF02-00000000CF01}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b44-0\System.Windows.Forms.DataVisualization.dll2021-06-23 21:01:54.617 23542300x800000000000000019282Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.129{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EB4102D617131A4E749DEF967C72F4,SHA256=974B14E4C948AEBC5C26603D6BED8EAC71B4252F3569E621866A5D29D8CA9CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019281Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.098{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CBEB23F5729FD6F2124FC41D058EAEA,SHA256=3CA725D6EE29C3EDC29525580E8D7BE620A17D3C43BBC3A6708BA82E24316FC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019333Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A143-60D3-CA02-00000000CF01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019332Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019331Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019330Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019329Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019328Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A143-60D3-CA02-00000000CF01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019327Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A143-60D3-CA02-00000000CF01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019326Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A143-60D3-C902-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019325Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.806{4DB9351A-A143-60D3-CA02-00000000CF01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019324Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.789{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A143-60D3-C902-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019323Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.789{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A143-60D3-C902-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019322Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.773{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D15767D5E45B7EA1598F3FD55010ABC7,SHA256=0E1FE51F46152A04720C2873CDB9142FE9242CA825925A650E04FE493CFC8362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019321Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.711{4DB9351A-A143-60D3-C802-00000000CF01}5160NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SM3PP0H8JY\System.Windows.Presentation.ni.dll.auxMD5=F40386B1E261320E15B94734EB771434,SHA256=4EDEABB8C5B590EF17A9FAE906989FE590A4852F8CB7843C14D40F0E6F9A6B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019320Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.711{4DB9351A-A143-60D3-C802-00000000CF01}5160NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SM3PP0H8JY\System.Windows.Presentation.ni.dllMD5=88E40D149BDF11667CC698362A7734E7,SHA256=25BA3CE29F1C0D7DA982E4C2177A5A5616F9B110FFB44515572825E483158F47,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019319Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:55.696{4DB9351A-A143-60D3-C802-00000000CF01}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1428-0\System.Windows.Presentation.dll2021-06-23 21:01:55.696 10341000x800000000000000019318Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.570{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A143-60D3-C802-00000000CF01}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019317Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.555{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A143-60D3-C802-00000000CF01}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019316Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.555{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A143-60D3-C802-00000000CF01}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019315Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.461{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A143-60D3-C702-00000000CF01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019314Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.445{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A143-60D3-C702-00000000CF01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019313Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.445{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A143-60D3-C702-00000000CF01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019312Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.383{4DB9351A-A143-60D3-C602-00000000CF01}5724NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JO4NYHMDER\System.Windows.Input.Manipulations.ni.dll.auxMD5=4BDF691B1B50D2D0BF3EF9B3EB2C610C,SHA256=17814F7A01BA6EFFE9D9429E7E319612AF2E56DA6CEFE180B4635D1EE71308C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019311Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.383{4DB9351A-A143-60D3-C602-00000000CF01}5724NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JO4NYHMDER\System.Windows.Input.Manipulations.ni.dllMD5=FCEFC9E45125B6EC40A13911651263A4,SHA256=FDAFA5C24294B0B26747B5EB6498CEB0B2E3E495CF47737359527C5846056E20,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019310Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:55.367{4DB9351A-A143-60D3-C602-00000000CF01}5724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\165c-0\System.Windows.Input.Manipulations.dll2021-06-23 21:01:55.367 10341000x800000000000000019309Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.258{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A143-60D3-C602-00000000CF01}5724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019308Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.258{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A143-60D3-C602-00000000CF01}5724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019307Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.258{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A143-60D3-C602-00000000CF01}5724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019306Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.211{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A143-60D3-C502-00000000CF01}3032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019305Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.195{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A143-60D3-C502-00000000CF01}3032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019304Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.195{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A143-60D3-C502-00000000CF01}3032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019303Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.164{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE4B8575D3CDD42CC4E107110619AED,SHA256=1AA0B7FF8092A886156F8B5840F18150B2C113B559D80E6184685B4852351BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019302Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.148{4DB9351A-A142-60D3-C402-00000000CF01}1336NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\9NU9HWLHX7\System.Windows.Forms.DataVisualization.Design.ni.dll.auxMD5=78599A1B8493785F093F32E9AF9022A3,SHA256=A315CF772511B15DB7963986271B11BA254B1B12502368C8E195499848E3CB04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019301Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.148{4DB9351A-A142-60D3-C402-00000000CF01}1336NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\9NU9HWLHX7\System.Windows.Forms.DataVisualization.Design.ni.dllMD5=43145A886A97B7C87D0CF1A9BBDDA8C5,SHA256=3B2B448EBCB27CE4D9A9C0317D6EFD50D57D635AD7B3ED46BED5BC9793699474,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019300Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:55.133{4DB9351A-A142-60D3-C402-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\538-0\System.Windows.Forms.DataVisualization.Design.dll2021-06-23 21:01:55.133 23542300x800000000000000019339Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.820{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=712641F927CB215E9EEC32D730317D37,SHA256=E3729AC9CBFA47C35C6943A7FEC248D1ECE3E4894524D3C6BB64CEBAEC05D6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019338Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.430{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB0C44A1C02C2CD3AFC26C92E8CDEC2,SHA256=0FFE5D08DB4E543338DE8A4B9C50E91D2810C67C7AE8E88A6BB4533AADABC325,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019337Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.180{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A144-60D3-CB02-00000000CF01}5936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019336Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.164{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A144-60D3-CB02-00000000CF01}5936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019335Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.164{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A144-60D3-CB02-00000000CF01}5936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019334Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.055{4DB9351A-A143-60D3-CA02-00000000CF01}55882312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019349Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.476{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F157012F3E7472F5E01963294173BEF1,SHA256=32E013A63D0C64D618889404EFC79FF10E787E9CF58C5C07CF7189FDAEC51B59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019348Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.351{4DB9351A-A145-60D3-CC02-00000000CF01}42045680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019347Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A145-60D3-CC02-00000000CF01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019346Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019345Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019344Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A145-60D3-CC02-00000000CF01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019343Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019342Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019341Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A145-60D3-CC02-00000000CF01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019340Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.056{4DB9351A-A145-60D3-CC02-00000000CF01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019370Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.773{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A146-60D3-CF02-00000000CF01}5568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019369Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.758{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A146-60D3-CF02-00000000CF01}5568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019368Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.758{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A146-60D3-CF02-00000000CF01}5568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019367Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.664{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A146-60D3-CE02-00000000CF01}856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019366Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.648{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A146-60D3-CE02-00000000CF01}856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019365Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.648{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A146-60D3-CE02-00000000CF01}856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019364Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.539{4DB9351A-A144-60D3-CB02-00000000CF01}5936NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KNYONB6P42\System.Workflow.Activities.ni.dll.auxMD5=D1C9D6C281FD10D3EA0ABE7773CEE5CD,SHA256=6334460E47D65AB61BD30EA454E063DC95CDECBBA069A382214D554884C96FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019363Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.539{4DB9351A-A144-60D3-CB02-00000000CF01}5936NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KNYONB6P42\System.Workflow.Activities.ni.dllMD5=A7203C7CA28EC5708948AAB0C8415F0D,SHA256=13C2E328D5DAD8783A82899C4B5F2F7C65D0CE2A60F95F976FD83F057109018B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019362Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.508{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD542D7CAC91EF6271FEADBDF58CBB3,SHA256=BE24E988D30C875F573D3EE6426AE401B12E77E86088CB5B3C3D73D246592922,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019361Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:58.445{4DB9351A-A144-60D3-CB02-00000000CF01}5936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1730-0\System.Workflow.Activities.dll2021-06-23 21:01:58.445 10341000x800000000000000019360Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.273{4DB9351A-A146-60D3-CD02-00000000CF01}55484296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000019359Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.201{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61378-false10.0.1.12-8000- 23542300x800000000000000019358Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D543C6CF8B7898B9330CC508E40787EC,SHA256=C7E12CE33C4BA9B1E76791F62755DBCEB8C418C96602D125506E076528E40EAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019357Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A146-60D3-CD02-00000000CF01}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019356Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019355Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019354Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019353Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019352Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A146-60D3-CD02-00000000CF01}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019351Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A146-60D3-CD02-00000000CF01}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019350Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.071{4DB9351A-A146-60D3-CD02-00000000CF01}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019380Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.680{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A147-60D3-D002-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019379Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.664{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A147-60D3-D002-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019378Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.664{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019377Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.664{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019376Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.664{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019375Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.664{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019374Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.664{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A147-60D3-D002-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019373Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.668{4DB9351A-A147-60D3-D002-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019372Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.508{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2A433C4C86824C18ABE3A92273461B,SHA256=A019EC64B9A8ED1D6F9E3BA57256156103FCAF2DB94891C32D945DF000F2ADD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019371Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.289{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14F77F4CC462BEEACF1752CD19BF64CE,SHA256=6743C940056E34B46018B61BEFC8A9B86D2E3B44DA0D67492A17D2B0D0AFBA53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019382Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:00.680{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DEAFF50E77C549DDE8560A676982DB7,SHA256=FE74D0E66993713C5B29E2B5F3FF4232F58E399A082CBBEF7E01703282EFD2EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019381Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:00.524{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33DCDF2A01FE80C53F0A17454334C18,SHA256=BE6D2133873B8D79474FEEAD2F56FFC87E52A01E7F2E2CCB7256E06D6FC98F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019384Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:01.570{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3705B70C0014C6364C351FB8426A7DE0,SHA256=C9757CBAAFC84BB71257CA941433298098BB605D0F7F90B08565CB2F2E496BC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019383Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:01.320{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045116C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019394Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.914{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14A-60D3-D202-00000000CF01}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019393Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.899{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A14A-60D3-D202-00000000CF01}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019392Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.899{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14A-60D3-D202-00000000CF01}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019391Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.758{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14A-60D3-D102-00000000CF01}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019390Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.742{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A14A-60D3-D102-00000000CF01}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019389Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.742{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14A-60D3-D102-00000000CF01}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019388Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.602{4DB9351A-A146-60D3-CF02-00000000CF01}5568NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\O5H6Z3HL3W\System.Workflow.ComponentModel.ni.dll.auxMD5=688C6CF4A929D6B6A46AA0D20C3C088B,SHA256=C8A8A336DD46A2D97A19F13FB8CA434335BA188F4D2C46B5D615EDDBCD7F2CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019387Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.602{4DB9351A-A146-60D3-CF02-00000000CF01}5568NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\O5H6Z3HL3W\System.Workflow.ComponentModel.ni.dllMD5=BAA214A5082FC7FF1F1FBA3E4E5D2F12,SHA256=AAAAC19024AF7FBAEDBF65C8E6AAE15887E3389A6D384B35EDB6DF720FBC0B22,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019386Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.586{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C7FD5AA6A7BBE9A7842A7AFB7F5364,SHA256=B97DEEE0DE5139A0BEC58B09A7F0B2F9DE062EDE1FD9F817927D91C70AC5583B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019385Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:02.508{4DB9351A-A146-60D3-CF02-00000000CF01}5568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15c0-0\System.Workflow.ComponentModel.dll2021-06-23 21:02:02.508 23542300x800000000000000019397Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:03.789{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=571167D11A5615B40ABF69C3E85EE5AB,SHA256=DDF690E6B0B9E38D17F9FDAC22EB41872C59A190B8C0620C87219860FD6D69B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019396Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:03.601{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8102D6110206DB48825279D1074605,SHA256=E59BE2FFC44FED8160B639F1B69FD881D4818AB74D429540FCF847411CE0331D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019395Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:03.226{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045116C:\Windows\system32\svchost.exe{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019405Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:04.851{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14C-60D3-D302-00000000CF01}3928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019404Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:04.820{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A14C-60D3-D302-00000000CF01}3928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019403Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:04.820{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14C-60D3-D302-00000000CF01}3928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019402Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:04.711{4DB9351A-A14A-60D3-D202-00000000CF01}5716NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GBDB416032\System.Workflow.Runtime.ni.dll.auxMD5=264F462FE9E154280590A6AAE0CD3184,SHA256=FF58B834528695687225ECE95CB46797CBA517AFA0A5745E201F7A297EB8BD84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019401Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:04.711{4DB9351A-A14A-60D3-D202-00000000CF01}5716NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GBDB416032\System.Workflow.Runtime.ni.dllMD5=B503C4624CD0019CF1E3AFA4566F6138,SHA256=2884AB09763C6899CF56E5F43611BB7D9B34361BFACA0766073C2C38AC6E71F7,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019400Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:04.648{4DB9351A-A14A-60D3-D202-00000000CF01}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1654-0\System.Workflow.Runtime.dll2021-06-23 21:02:04.648 23542300x800000000000000019399Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:04.601{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908F335556DFAEA3F493A313C34B43A3,SHA256=C2A6AD94211327586EE1E45BFDDDACD5E71E16E05D8315D59144BEFE95FB9F0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019398Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.189{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61379-false10.0.1.12-8000- 23542300x800000000000000019410Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:05.836{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F41147A83F94E3D94F9930A9BB01F8D1,SHA256=5786443E1616C2B9BE48AE5F9BF0AF91347F6414B74C3729151AC2B67994754C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019409Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:05.617{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87BC2B0784A144043F210C982E80118,SHA256=A7BE68D03774D272FD23A3813373898963CB8796FCA4985C0D88DF135A3B58B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019408Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:05.086{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14D-60D3-D402-00000000CF01}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019407Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:05.070{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A14D-60D3-D402-00000000CF01}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019406Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:05.070{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14D-60D3-D402-00000000CF01}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019432Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.898{4DB9351A-A14E-60D3-D802-00000000CF01}5708NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\B103MU2MTZ\System.Xml.Serialization.ni.dll.auxMD5=043E8E939A54185178009B5F13EBC49E,SHA256=C5BB6496C4D722EF61AC0146A28F0A869766C5C724C34CB914235F1C13B693B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019431Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.898{4DB9351A-A14E-60D3-D802-00000000CF01}5708NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\B103MU2MTZ\System.Xml.Serialization.ni.dllMD5=0BEC3186FDBBA99DB073799E2C56F8C3,SHA256=7306E0506D9C83DEBF960646E9F78A2DFCFF683B997DF652BEE880F04AB1EF1E,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019430Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:06.883{4DB9351A-A14E-60D3-D802-00000000CF01}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\164c-0\System.Xml.Serialization.dll2021-06-23 21:02:06.883 10341000x800000000000000019429Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.836{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14E-60D3-D802-00000000CF01}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019428Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.804{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A14E-60D3-D802-00000000CF01}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019427Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.804{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14E-60D3-D802-00000000CF01}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019426Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.758{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14E-60D3-D702-00000000CF01}4776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019425Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.758{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A14E-60D3-D702-00000000CF01}4776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019424Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.758{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14E-60D3-D702-00000000CF01}4776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019423Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.695{4DB9351A-A14E-60D3-D602-00000000CF01}3128NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LT34B5P075\System.Xaml.Hosting.ni.dll.auxMD5=E6D62607E91857B9B7E4E1E94B2430F9,SHA256=793EF573CD8AA241F6A6B06FCC16D5A59986AD7E29449A69B1A98E8F33B1D650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019422Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.695{4DB9351A-A14E-60D3-D602-00000000CF01}3128NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LT34B5P075\System.Xaml.Hosting.ni.dllMD5=4C91471BF558E18E3401A8E5360B1926,SHA256=B1A0BFCDFA22A0B52C1344210399BDF47024212E4C5E9035E99D8E096385027D,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019421Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:06.695{4DB9351A-A14E-60D3-D602-00000000CF01}3128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c38-0\System.Xaml.Hosting.dll2021-06-23 21:02:06.679 23542300x800000000000000019420Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.617{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B8C3B93009ACBDD5F51CBD22BE1E60,SHA256=9831616A515EF7AB306AA3AFA55D71758D5B495A5EF9E5FFD16D57FB4172E5C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019419Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.617{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14E-60D3-D602-00000000CF01}3128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019418Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.601{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A14E-60D3-D602-00000000CF01}3128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019417Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.601{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14E-60D3-D602-00000000CF01}3128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019416Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.523{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14E-60D3-D502-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019415Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.508{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A14E-60D3-D502-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019414Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.508{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14E-60D3-D502-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019413Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.429{4DB9351A-A14D-60D3-D402-00000000CF01}6632NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JLF666LVDJ\System.WorkflowServices.ni.dll.auxMD5=6BA34B96964F969A6B062E5E64CC9D89,SHA256=2C1B52EAD4E6D4CC30E7BF3B2C25902517F25A983C7EE2F8DCD97A25A8D13C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019412Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.429{4DB9351A-A14D-60D3-D402-00000000CF01}6632NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JLF666LVDJ\System.WorkflowServices.ni.dllMD5=AE413991E0181FA472F33A8233D00EEB,SHA256=532F6270CDD22480EE70B6A9AD2A18062C59E1A831AD9E5F59DAAFE12C3329A3,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019411Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:06.367{4DB9351A-A14D-60D3-D402-00000000CF01}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19e8-0\System.WorkflowServices.dll2021-06-23 21:02:06.367 10341000x800000000000000019480Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.773{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14F-60D3-DD02-00000000CF01}3336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019479Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.758{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A14F-60D3-DD02-00000000CF01}3336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019478Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.758{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14F-60D3-DD02-00000000CF01}3336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019477Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.648{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E00425DE3339FB010CC262CFDE52701,SHA256=4C2A559C2774AF6B9A33E193BD15001E8F3B921A7A31F1ED1F0102EFDE212EAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019476Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.601{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14F-60D3-DC02-00000000CF01}6976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019475Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.586{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A14F-60D3-DC02-00000000CF01}6976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019474Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.586{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14F-60D3-DC02-00000000CF01}6976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019473Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.539{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E77B7870B9C50325E251AF41C1297EE9,SHA256=EFE0F4637710FC9CF6997BAC35EF5AA3839F61425A0EE24A929A18BDC959FAD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019472Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.523{4DB9351A-A14F-60D3-DB02-00000000CF01}6544NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CT5DBQT78A\UIAutomationClient.ni.dll.auxMD5=1B04600FE3C4F8E57FBEEEFC3983E933,SHA256=231DD0317EA9B37566B31036BDC812FDA72A1DA8945B0FDD45050FDD6ACEE2B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019471Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.523{4DB9351A-A14F-60D3-DB02-00000000CF01}6544NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CT5DBQT78A\UIAutomationClient.ni.dllMD5=79BF4ED10FC371DA5B5B4422DA9EE498,SHA256=38B451BB6946FF1E1E3F7940C38A846DFEC6C4BD71961FF8F448ED05496EEFCB,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019470Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:07.523{4DB9351A-A14F-60D3-DB02-00000000CF01}6544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1990-0\UIAutomationClient.dll2021-06-23 21:02:07.523 23542300x800000000000000019469Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.336{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE94AA3880BF288BF9A5F6E1960C19E,SHA256=68A396540418904DF5EDB8308EA774C26E0BDF5C24E7EB74ED0F0AB4FF670ACF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019468Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.226{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14F-60D3-DB02-00000000CF01}6544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019467Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.211{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A14F-60D3-DB02-00000000CF01}6544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019466Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.211{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14F-60D3-DB02-00000000CF01}6544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019465Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019464Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019463Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019462Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019461Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019460Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019459Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019458Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019457Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019456Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019455Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019454Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019453Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019452Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019451Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019450Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019449Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019448Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019447Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14F-60D3-DA02-00000000CF01}3936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019446Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019445Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019444Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019443Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019442Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019441Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019440Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019439Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019438Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019437Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.133{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A14F-60D3-DA02-00000000CF01}3936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019436Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.133{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14F-60D3-DA02-00000000CF01}3936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019435Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.008{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14E-60D3-D902-00000000CF01}2328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019434Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.992{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A14E-60D3-D902-00000000CF01}2328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019433Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.992{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14E-60D3-D902-00000000CF01}2328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019492Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.820{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A150-60D3-DF02-00000000CF01}4832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019491Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.804{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A150-60D3-DF02-00000000CF01}4832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019490Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.804{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A150-60D3-DF02-00000000CF01}4832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019489Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.758{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A150-60D3-DE02-00000000CF01}6504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019488Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.742{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A150-60D3-DE02-00000000CF01}6504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019487Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.742{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A150-60D3-DE02-00000000CF01}6504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019486Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.664{4DB9351A-A14F-60D3-DD02-00000000CF01}3336NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0RHD0SJX41\UIAutomationClientsideProviders.ni.dll.auxMD5=9D6D78861522C3FB97DA8B09C8E446DC,SHA256=08CD6AD8DC25313A6243C514AAD58762B3A6FFD3DC7A5299F96383D95CFE7B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019485Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.664{4DB9351A-A14F-60D3-DD02-00000000CF01}3336NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0RHD0SJX41\UIAutomationClientsideProviders.ni.dllMD5=C97097D040E8D1C64BC37BC0729DD6E3,SHA256=591FD736BE66F8802BD9CD4C367EB8F39983175197E27A2FF3D0B4BDEDE78093,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019484Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.664{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BE884362912AB2F7C164139615B484,SHA256=9030F54B2FEC42A949AF922ADC0E398FC47883D72902707C6ADD7D9704B2ECD6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019483Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:08.633{4DB9351A-A14F-60D3-DD02-00000000CF01}3336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d08-0\UIAutomationClientsideProviders.dll2021-06-23 21:02:08.633 23542300x800000000000000019482Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.617{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=033154993108D32876F258D1534D5426,SHA256=F6E7341A4D8F8D045CDF934630527110465FB2F5C351CB6E3A83F683B74D177F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019481Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.202{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61380-false10.0.1.12-8000- 23542300x800000000000000019518Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.961{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DA9B97B9A618FD7069DD9A693086781,SHA256=F4C0BC03258A31A4E6967D89770C55E4A3B83A9563141C62B25F44DFF3050E4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019517Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.945{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A151-60D3-E402-00000000CF01}5964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019516Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.929{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A151-60D3-E402-00000000CF01}5964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019515Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.929{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A151-60D3-E402-00000000CF01}5964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019514Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.883{4DB9351A-A151-60D3-E302-00000000CF01}3016NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FYTR7IAGCX\WindowsFormsIntegration.ni.dll.auxMD5=C8A4279CFBE925C850CA4C4DD2C1C528,SHA256=7BF8A985A352C514A84D74B9F53A100657E22670D5DA00328E691D214E2611E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019513Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.883{4DB9351A-A151-60D3-E302-00000000CF01}3016NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FYTR7IAGCX\WindowsFormsIntegration.ni.dllMD5=399562C6D47FD0191F0FE8CB6D4634A0,SHA256=ED75707ABB2915A731074CE545C406BE91D120CFFECDA03DA4FC464739FB528C,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019512Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:09.867{4DB9351A-A151-60D3-E302-00000000CF01}3016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bc8-0\WindowsFormsIntegration.dll2021-06-23 21:02:09.867 23542300x800000000000000019511Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.680{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CE2A514B06515415FE1A071106C652,SHA256=93E2001A6E1674CD7968351FB6B76F38D65371E8E69485D6E4275CD505F2DBA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019510Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.601{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A151-60D3-E302-00000000CF01}3016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019509Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.601{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A151-60D3-E302-00000000CF01}3016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019508Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.601{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A151-60D3-E302-00000000CF01}3016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019507Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.523{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A151-60D3-E202-00000000CF01}3740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019506Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.508{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A151-60D3-E202-00000000CF01}3740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019505Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.508{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A151-60D3-E202-00000000CF01}3740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019504Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.461{4DB9351A-A151-60D3-E102-00000000CF01}6856NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G3V43CF0NX\UIAutomationTypes.ni.dll.auxMD5=CCC017EEF8664392419F354669DB9F67,SHA256=004AE4A1A6C92F266610DF7F476901AD45238490F15E0EF8AB7A72891AB0CA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019503Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.445{4DB9351A-A151-60D3-E102-00000000CF01}6856NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G3V43CF0NX\UIAutomationTypes.ni.dllMD5=0D8547DDA6B9A187656DCE8F3AADC1D8,SHA256=88D84B9CC8243B46B2092A1FE4D34FBEFA8158B91246EDFCC12034FAFE95669E,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019502Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:09.429{4DB9351A-A151-60D3-E102-00000000CF01}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ac8-0\UIAutomationTypes.dll2021-06-23 21:02:09.429 10341000x800000000000000019501Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.164{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A151-60D3-E102-00000000CF01}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019500Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.148{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A151-60D3-E102-00000000CF01}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019499Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.148{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A151-60D3-E102-00000000CF01}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019498Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.117{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A151-60D3-E002-00000000CF01}6800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019497Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.101{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A151-60D3-E002-00000000CF01}6800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019496Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.101{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A151-60D3-E002-00000000CF01}6800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019495Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.023{4DB9351A-A150-60D3-DF02-00000000CF01}4832NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\S8V8F9RM0Z\UIAutomationProvider.ni.dll.auxMD5=9DA4CCB364E51A8E33B5D3B79C9520B4,SHA256=41F68A796D32B90974A78C449660C6EAFE56A4E3DA61FBD939917B5159C2CADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019494Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.023{4DB9351A-A150-60D3-DF02-00000000CF01}4832NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\S8V8F9RM0Z\UIAutomationProvider.ni.dllMD5=94757D3805032FF0720BB522BF7ED731,SHA256=5B384EBFD968FCF5E10F2726296D3A555429C91E481A87553462167510492734,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019493Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:09.008{4DB9351A-A150-60D3-DF02-00000000CF01}4832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12e0-0\UIAutomationProvider.dll2021-06-23 21:02:09.008 10341000x800000000000000019540Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.950{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A152-60D3-EA02-00000000CF01}5176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019539Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.919{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A152-60D3-EA02-00000000CF01}5176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019538Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.919{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A152-60D3-EA02-00000000CF01}5176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019537Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.794{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A152-60D3-E902-00000000CF01}6452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019536Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.763{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A152-60D3-E902-00000000CF01}6452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019535Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.763{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A152-60D3-E902-00000000CF01}6452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019534Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.700{4DB9351A-A152-60D3-E802-00000000CF01}3256NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1IQQNJZTO5\XamlBuildTask.ni.dll.auxMD5=E54ED8F0B4B0EC6835D8EACD4942D994,SHA256=052969D57B72B8F06836E7363BFE26F53A4851B0F8337A0F1B2B9E0863A8B276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019533Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.700{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADF12276DECD99CD0E321A5A02EF089,SHA256=EFDDD3FDFF9B0C5C893031C237435C23052DF65646EAEFB626F328F2F56F0030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019532Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.700{4DB9351A-A152-60D3-E802-00000000CF01}3256NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1IQQNJZTO5\XamlBuildTask.ni.dllMD5=27CB5817FF16B670DEB6F7376D47798C,SHA256=88A18B2C41E9B0F7E4F31A638F27A694974E652AE06392C76DFE29F0CB56C23F,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019531Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:10.685{4DB9351A-A152-60D3-E802-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\cb8-0\XamlBuildTask.dll2021-06-23 21:02:10.685 10341000x800000000000000019530Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.263{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A152-60D3-E802-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019529Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.247{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A152-60D3-E802-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019528Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.247{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A152-60D3-E802-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019527Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.169{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A152-60D3-E702-00000000CF01}6788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019526Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.153{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A152-60D3-E702-00000000CF01}6788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019525Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.153{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A152-60D3-E702-00000000CF01}6788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019524Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.122{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A152-60D3-E602-00000000CF01}6028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019523Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.106{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A152-60D3-E602-00000000CF01}6028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019522Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.106{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A152-60D3-E602-00000000CF01}6028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019521Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.008{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A152-60D3-E502-00000000CF01}3020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019520Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.992{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A152-60D3-E502-00000000CF01}3020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019519Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.992{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A152-60D3-E502-00000000CF01}3020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019544Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:11.153{4DB9351A-A152-60D3-EA02-00000000CF01}5176NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VNRG7GXBX5\XsdBuildTask.ni.dll.auxMD5=027D89875FE14A5317A2A1BAD9AAD681,SHA256=046703E16FA143CB995ACC29F2521895393BE508918B992AF20F41993F8E469C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019543Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:11.153{4DB9351A-A152-60D3-EA02-00000000CF01}5176NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VNRG7GXBX5\XsdBuildTask.ni.dllMD5=961E075098B6807574CB78CA0F7CD72A,SHA256=8F2A11E07BE11B1B888E0B12744E0537523F4A01F8601AE6C528DB7796D9F6D4,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019542Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:11.142{4DB9351A-A152-60D3-EA02-00000000CF01}5176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1438-0\XsdBuildTask.dll2021-06-23 21:02:11.142 23542300x800000000000000019541Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:11.077{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A2B475563BDF87116152357EE47C834,SHA256=C04890B493CE7CE62E3F23ED1A3B9DA3CF6A243BDDEB46D83297CD65B17E7080,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019555Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.919{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A039-60D3-1801-00000000CF01}5388C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019554Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.919{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A154-60D3-EC02-00000000CF01}2312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019553Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.763{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A036-60D3-1201-00000000CF01}6780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019552Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.763{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A154-60D3-EC02-00000000CF01}2312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019551Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.763{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A154-60D3-EC02-00000000CF01}2312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000019550Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.731{4DB9351A-9DDB-60D3-0B00-00000000CF01}628840C:\Windows\system32\lsass.exe{4DB9351A-A154-60D3-EB02-00000000CF01}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019549Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.731{4DB9351A-9DDB-60D3-0B00-00000000CF01}628840C:\Windows\system32\lsass.exe{4DB9351A-A154-60D3-EB02-00000000CF01}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019548Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.716{4DB9351A-A036-60D3-1301-00000000CF01}67486832C:\Windows\system32\conhost.exe{4DB9351A-A154-60D3-EB02-00000000CF01}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019547Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.700{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019546Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.700{4DB9351A-A036-60D3-1201-00000000CF01}67806776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{00000000-0000-0000-0000-000000000000}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+35491|UNKNOWN(00007FFF5B025A07) 23542300x800000000000000019545Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.700{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E6C1CF0FEC9FE9786AE7B3FA2C7B5D,SHA256=1082180789ACF009F7E11F4DF5AE029458B847779F8CBAFD71DAB297C35F0783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019560Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:13.841{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4C1A0E4B968915989F55ADC45EA9DC,SHA256=504BF2BF618D3B57F2642E38AD20B5D88DE947F3FDC2F79757275C0DBD5185BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019559Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:13.700{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D5D8CF69E5E5358D81EF52A436939F4,SHA256=6BBC33EF76416B449267366DD111CFA7390BEBBBF3E152C1D3E397B91145F6BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019558Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:13.622{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A155-60D3-ED02-00000000CF01}4304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019557Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:13.606{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A155-60D3-ED02-00000000CF01}4304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019556Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:13.606{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A155-60D3-ED02-00000000CF01}4304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 354300x800000000000000019564Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:13.097{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61381-false10.0.1.12-8000- 10341000x800000000000000019563Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:14.044{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A156-60D3-EE02-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019562Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:14.013{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A156-60D3-EE02-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019561Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:14.013{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A156-60D3-EE02-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019566Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:15.013{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D418D557C72ABB5C47DE6DE83C62C95,SHA256=54AE705E33BE4D5504C3538D53E1E51C132B6FF54F6B896A3B17237DB90C0775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019565Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:14.997{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F1D9D9FD719D062DE4301EEC2E7BE8,SHA256=AF5B34DAB3D13AD11764666A6D8366E64B0E0E0B7B99F85FFC5B8E44CE158B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019567Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:16.122{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6292CD3E46572BB53E0E0F76B0A17F75,SHA256=0D0FAF1AED6335A12C00FB4A94666C4A242DDD360AF643D1B81323A1BF26AA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019568Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:17.138{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B9BFCE6873803203C5F9C61E723963,SHA256=8C8C87783F3A7D683CEA8214B9CBF3D253FB49DFC49A1089AC13FF942572E2E4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019570Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:18.700{4DB9351A-A156-60D3-EE02-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1be4-0\System.dll2021-06-23 21:02:18.700 23542300x800000000000000019569Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:18.169{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FED20933CC2DC9F88012B75A7E8270,SHA256=972E1CB643D98348F1A2FA2F92F7F9788E8C6F724405F5B7AEF56AF2FA49B0A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019577Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.778{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A15B-60D3-F002-00000000CF01}7112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019576Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.763{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A15B-60D3-F002-00000000CF01}7112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019575Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.763{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A15B-60D3-F002-00000000CF01}7112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019574Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.388{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A15B-60D3-EF02-00000000CF01}5536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019573Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.372{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A15B-60D3-EF02-00000000CF01}5536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019572Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.372{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A15B-60D3-EF02-00000000CF01}5536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019571Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.184{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE675E6BA3F272D8A893B537CBB0CA4,SHA256=0FBE96C5D9E38D8A36BB05B026CB712D27FC743016E85FBAFEC265F450AC5202,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019581Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.113{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61382-false10.0.1.12-8000- 23542300x800000000000000019580Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:20.544{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA7FED7C269A8D32032602865D048C6,SHA256=3A9CE38E623DBBA5EB26790B2D47FE8EFFC509FF1888AA78C8F7C2186E65A3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019579Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:20.544{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB616C3419877F2D76A9B2914C4F2C91,SHA256=A5538775588C54115314ACF9EC05CE1AAFFEF1737CB973914186DABF79A522E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019578Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:20.216{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA79D382C65AB5677E0882CB2351C397,SHA256=B5B81B55454AB48BD5AC5A4BA7939FF344460A69BAAD607F029705F89F90DE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019582Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:21.216{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6018C6AEE8398B820732ED7CEE6CC5,SHA256=5AEC56B21EB732715FBE6BCC60E845CC88CA3CA67EEC5F8DAF838E80EA688029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019583Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:22.231{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F47051C41CB9C921DC85A7ADCE162B2D,SHA256=AAD048CF4D2F2A91F0A1B865FAED22E5F98377BB786C27406DB95565DE42086F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019593Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.638{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A15F-60D3-F202-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019592Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.622{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A15F-60D3-F202-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019591Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.622{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A15F-60D3-F202-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019590Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.482{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A15F-60D3-F102-00000000CF01}5300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019589Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.466{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A15F-60D3-F102-00000000CF01}5300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019588Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.466{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A15F-60D3-F102-00000000CF01}5300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019587Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.294{4DB9351A-A15B-60D3-F002-00000000CF01}7112NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OHWPO8MW7V\System.Xml.ni.dll.auxMD5=E01ABDE7405B6917FD52CBCECEDFB15C,SHA256=73DEA8197F091277613BAAFEDBE37A4231410291B5AFABAC8D6907407482215B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019586Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.294{4DB9351A-A15B-60D3-F002-00000000CF01}7112NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OHWPO8MW7V\System.Xml.ni.dllMD5=5F6EA5E77659D339DC666E0BCCD7B0FB,SHA256=D03C42DCD3565491379E0C0940E60507EB8B28F6FAC705F98D68A788AA31F8C8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019585Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.263{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8301A2152143618D4ACC33D0F98C5CD2,SHA256=42D476BD0104EAF9BDBFAF403BC518F93372EA81EE62E109419B43368B00D399,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019584Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:23.138{4DB9351A-A15B-60D3-F002-00000000CF01}7112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bc8-0\System.Xml.dll2021-06-23 21:02:23.138 23542300x800000000000000019595Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:24.481{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA7FED7C269A8D32032602865D048C6,SHA256=3A9CE38E623DBBA5EB26790B2D47FE8EFFC509FF1888AA78C8F7C2186E65A3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019594Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:24.356{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=891569CAE99D069E2706443899B9A20A,SHA256=590CD36ED222B77746F5E5259DD09BD3E8D567BA9036650215BFAA380FFEF083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019596Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:25.356{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2756FDFDC7F85CE6F1F10C7D9F01AC,SHA256=C83E31B330A87AC7F53965E332A0EB8D24E796DAEA90068BB6222D5EF7EC80BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019599Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:26.387{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E578BAF443C970268471E42C55F58EA9,SHA256=B7B78CE45DAA5434679611338A4E6CCE643818C06A5C4B7CF70D35626F2DAC67,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019598Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:25.113{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61383-false10.0.1.12-8000- 23542300x800000000000000019597Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:26.106{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4262AA929BBC760C522631DE9230D194,SHA256=7F149A78B34A1321C438D4850019541B7FB8E6AA1C0F4AA8396AB167EECF5338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019600Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:27.387{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA905EB3AD1249A72A32D6E903E98A1,SHA256=1C3FB6733DCBEA7D236653CAB95032682D4754348383B52BFEF8EAB8423DD9F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019602Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:28.934{4DB9351A-A15F-60D3-F202-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19f4-0\System.Core.dll2021-06-23 21:02:28.934 23542300x800000000000000019601Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:28.403{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E23D3F92E173956126BD2EBEB3391C,SHA256=F34D2B97BF7452FDEF33916E557F863BAA5291EA1D5BF105E781B328025F0A27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019606Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:29.466{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A165-60D3-F302-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019605Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:29.434{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A165-60D3-F302-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019604Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:29.434{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A165-60D3-F302-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019603Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:29.404{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D863DA69E6D34F2CB15430191B25EC,SHA256=402406A5487DCA1FDFA7690B011885E8F2B237F20D12A49824D9302A3D0872F2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019619Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:30.995{4DB9351A-A166-60D3-F502-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bbc-0\System.Drawing.dll2021-06-23 21:02:30.995 23542300x800000000000000019618Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.479{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=045A477B07FDEB7759815FF07C7058CC,SHA256=83BBE02E24EA5D19AB34678E05DF4A34B4EC21280864CF53037E7AE5F431DCE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019617Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.479{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79E25AB04C1C3C03DDF653E1328D82B1,SHA256=CF23A5FA1B121E89C7CDAAE04BA42F1AADA51B1CD3E7A99228F75CD65796D1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019616Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.432{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89ED5EED419778C18B75342EDDB9BE52,SHA256=F356E21FEA56CB01A9EEF89DF078F827258CB84927A66EFB5F285F7B8515D4F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019615Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.370{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A166-60D3-F502-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019614Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.354{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A166-60D3-F502-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019613Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.354{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A166-60D3-F502-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019612Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.135{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A166-60D3-F402-00000000CF01}5896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019611Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.120{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A166-60D3-F402-00000000CF01}5896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019610Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.120{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A166-60D3-F402-00000000CF01}5896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019609Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.057{4DB9351A-A165-60D3-F302-00000000CF01}2244NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\P2VW3KZBA5\System.Configuration.ni.dll.auxMD5=D6F1264D73AC502913FDB4D98ED97993,SHA256=A0AC0B3309BE4D33B8429881C33D821430FCF740347E26105DE66DB011223535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019608Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.057{4DB9351A-A165-60D3-F302-00000000CF01}2244NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\P2VW3KZBA5\System.Configuration.ni.dllMD5=C0E6B8ED92D7C9595C92AE6B060A73DB,SHA256=839272E5CA71BD9FE65D5622632AF6E57A4323AF6AE61FE4A3B2BC0E29E31D0C,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019607Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:30.012{4DB9351A-A165-60D3-F302-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8c4-0\System.Configuration.dll2021-06-23 21:02:30.012 10341000x800000000000000019628Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.604{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A167-60D3-F702-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019627Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.588{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A167-60D3-F702-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019626Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.588{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A167-60D3-F702-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019625Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.432{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C117119DE8A8B81065213F5CC641C51,SHA256=7DBC3EF1F8FE468DC25C29F2F7896D95AE6F56DB5127A200143DFFB6A57A7F14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019624Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.135{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A167-60D3-F602-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019623Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.120{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A167-60D3-F602-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019622Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.120{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A167-60D3-F602-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019621Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.042{4DB9351A-A166-60D3-F502-00000000CF01}7100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BHQ5VDU9ZI\System.Drawing.ni.dll.auxMD5=C80E16AD1229B24FDB2212F630BD19B4,SHA256=5639E76749267C2CF4B60A953420C9A3E5D3471949115C7371FF9F89678EC6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019620Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.042{4DB9351A-A166-60D3-F502-00000000CF01}7100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BHQ5VDU9ZI\System.Drawing.ni.dllMD5=133064508CE19C63D769D27065B4C964,SHA256=3C91313089A862EEFAF2AEB2222681589B3A671598051C83F3A6DB91804EFB61,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019631Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:32.448{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145A21ADCA8E9F8DB3880DDA27617287,SHA256=2CC2574E7F19D5D08EA9324EC366CEB615011A04E6D99D813EED49E703173E9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019630Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.142{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61384-false10.0.1.12-8000- 23542300x800000000000000019629Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:32.135{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=045A477B07FDEB7759815FF07C7058CC,SHA256=83BBE02E24EA5D19AB34678E05DF4A34B4EC21280864CF53037E7AE5F431DCE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019632Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:33.448{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4536945A7BA1FBDDBB4A74D36FFF37FD,SHA256=EC95A48011BD39D06650505BC802EBAB7CAAAD96974A3B11D639C3125CD27924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019633Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:34.479{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0FAB083BA02EDC115DF1F6BA31A813,SHA256=A39D73E37107EE1A6C9DCD1809FDF4301A02A64634BACDAF22F5B6D4F5F8B901,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019646Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.963{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A16B-60D3-F902-00000000CF01}1688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019645Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.948{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A16B-60D3-F902-00000000CF01}1688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019644Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.948{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A16B-60D3-F902-00000000CF01}1688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019643Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.854{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=6A5646CF18EF7AE7E9A5462676FA41AF,SHA256=84B3443C91D522A6F3C630E4922E596FD54199184F2F5EB640B4D86D59B1224B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019642Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.479{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCEC7C7E036FD6A6E645AD600EE7DB4,SHA256=66675BAC66208FF0345E5F4ACCD6DD58A687DCEA2189AC38C01C14D298802AB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019641Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.385{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A16B-60D3-F802-00000000CF01}512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019640Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.370{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A16B-60D3-F802-00000000CF01}512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019639Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.370{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A16B-60D3-F802-00000000CF01}512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019638Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.354{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=1429D697A7AB617C76B44C2B7469EE5D,SHA256=ED3301689ACA32DE4F3D571D54D951136B97580089553AB01C710373BF4ED41F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019637Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.354{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=B920396E1D28C84D806079252F6D94E0,SHA256=FAFF9AD7AC40A818DE75CB967BC1F3B9FADBCAA572C3AFB3E512345E306DDDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019636Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.182{4DB9351A-A167-60D3-F702-00000000CF01}2228NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1IJ2EEVPAN\System.Data.ni.dll.auxMD5=C18156D66FE66E7DB4B7AC3D0A67A972,SHA256=715D0D95168A0C258DBFA12E04ACC5150D729AF0E8C3477085A78559B423C8DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019635Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.182{4DB9351A-A167-60D3-F702-00000000CF01}2228NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1IJ2EEVPAN\System.Data.ni.dllMD5=B4E2B2F388EB5326957E362B7089F3EF,SHA256=E2C586AC15571A6026145B430677022B79B8E58BDE0F3664A986DA41B6951148,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019634Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:35.026{4DB9351A-A167-60D3-F702-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8b4-0\System.Data.dll2021-06-23 21:02:35.026 23542300x800000000000000019650Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:36.510{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A98BD943F4A87B458709D73E7748FD,SHA256=88FE433E6F50FB5B93C2B2017CE946BF543FD3212E0F265D7F5018B10932E164,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019649Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.314{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61385-false10.0.1.12-8000- 23542300x800000000000000019648Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:36.323{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66E3749347A4E9CB3A66939D86F920BC,SHA256=9C63206890D3AA1BEEE0D7DEE848D5FF5CFB3EAB5FF95D255CCD5518EAA5953E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019647Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:36.323{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=0C229B89F63003D791C89B7A95F8D9FC,SHA256=622BDDE6AD239DA6991212E274B5A36F7863A77F517F80348A1BC4488B55FBE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019651Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:37.666{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C122AE571D4F55637B15932BE31B715,SHA256=BD0F8EE5C99FEE27F98E823C841E12B316D03276E1C99C9CC51C479541F2ABF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019652Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.682{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2002E286B75300780720A2EFA09E41C6,SHA256=C9191A32B776FCF43E77532627AD41CC7D9D4A5C5FCACCB0EAF913BE9DA9371B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019655Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:39.791{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42D352109B6A13119BE18379149DA81,SHA256=4C766445C12E9BEFFF929BDB7B0ADCBFC89FC9FCDF8C87FCCE6A30791B907FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019654Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:39.604{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=306CD73A7D23875FC8CB5C6FF24A3B53,SHA256=BAC917F5CC79E2FC68E87BEAB98E8985A85A4CEDE3BF69907EF1438FC0380270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019653Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:39.073{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019666Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:40.816{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533B03711CC354DE2857CD984A8072C0,SHA256=74312C05EB7BFC60D8DE3F1A9541689058F7B072CAF4AC2959F1633DEF0B1970,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019665Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.635{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61390-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019664Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.635{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61390-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019663Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.634{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61389-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019662Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.634{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61389-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019661Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.633{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61388-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019660Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.633{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61388-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019659Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.631{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61387-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019658Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.631{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61387-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019657Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.627{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61386-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000019656Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.627{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61386-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 23542300x800000000000000019668Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:41.895{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F41ED8AD32078BD6647C6B5016890C9,SHA256=91C4E843D7190DF890E98544C60DE457EF81C5B4CC43176261AA5C8EE0F3E971,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019667Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:39.110{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61391-false10.0.1.12-8089- 23542300x800000000000000019673Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:42.910{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849671DA75B19A7C53CF869EC64089A7,SHA256=AA9C06150F8D8EC7A37F4E5C0462AA45DA96030CC5AE0FA17661228E30CA6A81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019672Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:40.738{4DB9351A-9DEC-60D3-3500-00000000CF01}3296C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61394-false169.254.169.254-80http 354300x800000000000000019671Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:40.694{4DB9351A-9DEC-60D3-3500-00000000CF01}3296C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61393-false169.254.169.254-80http 354300x800000000000000019670Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:40.692{4DB9351A-9DEC-60D3-3500-00000000CF01}3296C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61392-false169.254.169.254-80http 11241100x800000000000000019669Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:42.707{4DB9351A-A16B-60D3-F902-00000000CF01}1688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\698-0\System.Windows.Forms.dll2021-06-23 21:02:42.707 23542300x800000000000000019684Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.926{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84937EA3491254820AD912395AF8019D,SHA256=86D403C1C31897B684361BD14F4CD983FFF6DF0E4CADE522E980B2DD79336625,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019683Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:41.261{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61396-false10.0.1.12-8000- 354300x800000000000000019682Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:40.866{4DB9351A-9DEC-60D3-3500-00000000CF01}3296C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61395-false169.254.169.254-80http 10341000x800000000000000019681Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.816{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A173-60D3-FB02-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019680Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.801{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A173-60D3-FB02-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019679Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.801{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A173-60D3-FB02-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019678Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.254{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A173-60D3-FA02-00000000CF01}836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019677Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.238{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A173-60D3-FA02-00000000CF01}836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019676Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.238{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A173-60D3-FA02-00000000CF01}836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019675Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.005{4DB9351A-A16B-60D3-F902-00000000CF01}1688NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BE3PZ7Z5BN\System.Windows.Forms.ni.dll.auxMD5=21E2E61DF5B7999BB79B1FFBF8C31550,SHA256=02AD47EF0468AA364FCB0146EC901BC3484BE76B6114E115E9E3032D5E449814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019674Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:42.988{4DB9351A-A16B-60D3-F902-00000000CF01}1688NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BE3PZ7Z5BN\System.Windows.Forms.ni.dllMD5=0AF28C9C7B3718528290583CB29A69D3,SHA256=3D9E7B2CB00D806EA1746CF57D3D6FCED987B1F5496A267D5973681803C68585,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000019704Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.988{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A174-60D3-FF02-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019703Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.973{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FBD1C7ABB49C646B90B7087D964E84,SHA256=5A00B2DA611033E8F37808C89420D6EB03913C46FC5DBEB42EE6B09867FCFFBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019702Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.973{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A174-60D3-FF02-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019701Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.957{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A174-60D3-FF02-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019700Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.863{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A174-60D3-FE02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019699Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.832{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A174-60D3-FE02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019698Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.832{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A174-60D3-FE02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019697Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.770{4DB9351A-A174-60D3-FD02-00000000CF01}6992NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G0VM3YOYJ3\System.ServiceProcess.ni.dll.auxMD5=7894E3AADBAC65EE6846CB64BAE89E3C,SHA256=CF666E8030F79D92981DF3B9106199DFAC7AF8F96551A54B1CB5C05EC5047436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019696Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.770{4DB9351A-A174-60D3-FD02-00000000CF01}6992NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G0VM3YOYJ3\System.ServiceProcess.ni.dllMD5=766FB2FAD30D64EEFF95A1B6D7FF704D,SHA256=1433EA260AF380C525C211AD68C016AD9BADB6D5A6146E7A3A7B4C2EF5A057F3,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019695Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:44.754{4DB9351A-A174-60D3-FD02-00000000CF01}6992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b50-0\System.ServiceProcess.dll2021-06-23 21:02:44.754 10341000x800000000000000019694Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.613{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A174-60D3-FD02-00000000CF01}6992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019693Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.598{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A174-60D3-FD02-00000000CF01}6992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019692Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.598{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A174-60D3-FD02-00000000CF01}6992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019691Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.395{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A174-60D3-FC02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019690Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.363{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A174-60D3-FC02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019689Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.363{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A174-60D3-FC02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019688Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.301{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18DB98E74A4A4CE6E24AABF5373EAC6C,SHA256=26072A367BDC32FB03311DE5E88A4AB4BBC388A7BF26AEBBA19485BF74EF8B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019687Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.285{4DB9351A-A173-60D3-FB02-00000000CF01}3492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BZMUV4VOWQ\System.Runtime.Remoting.ni.dll.auxMD5=7C3A037AA7645B5E5525B827CF6BDDE4,SHA256=66F0C2B98DAFFCEF511FE94D2C83E7FE8311353207252F9C4BD78B213C4FDB98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019686Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.285{4DB9351A-A173-60D3-FB02-00000000CF01}3492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BZMUV4VOWQ\System.Runtime.Remoting.ni.dllMD5=6E0E147FBBEF471CBF76FAE667A27764,SHA256=EDD5C0D6F11622A5CF38D0FFAF79187E5D7731A29EADC1A07CA36A196796FFEA,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019685Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:44.270{4DB9351A-A173-60D3-FB02-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\da4-0\System.Runtime.Remoting.dll2021-06-23 21:02:44.270 10341000x800000000000000019718Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.816{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A175-60D3-0203-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019717Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.801{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A175-60D3-0203-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019716Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.801{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A175-60D3-0203-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019715Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.754{4DB9351A-A175-60D3-0103-00000000CF01}6248NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VBGQB10SZG\Accessibility.ni.dll.auxMD5=9F3DEBAE3752FBBE597F14AB5A09E165,SHA256=41DFFFC091EAC9BA651CD3533E87EB659A2324794A014EB11107BFBCDDC713A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019714Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.754{4DB9351A-A175-60D3-0103-00000000CF01}6248NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VBGQB10SZG\Accessibility.ni.dllMD5=EA568B250B2812F50514B8052FE9470E,SHA256=AEC0E9C8266E2FAF2189A414D108A152E628992A179432E9B0BF854CC6B837E4,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019713Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:45.738{4DB9351A-A175-60D3-0103-00000000CF01}6248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1868-0\Accessibility.dll2021-06-23 21:02:45.738 10341000x800000000000000019712Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.676{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A175-60D3-0103-00000000CF01}6248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019711Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.660{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A175-60D3-0103-00000000CF01}6248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019710Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.660{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A175-60D3-0103-00000000CF01}6248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019709Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.598{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A175-60D3-0003-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019708Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.582{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A175-60D3-0003-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019707Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.582{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A175-60D3-0003-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000019706Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:45.488{4DB9351A-A174-60D3-FF02-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11d4-0\System.Management.dll2021-06-23 21:02:45.488 23542300x800000000000000019705Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.426{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FECEC84CA9127174363B578CF8946285,SHA256=96BC3A83EE369F10B8936E04E2B5CEDFC92BD83A0179B34D71DDC16C2291B0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019724Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:46.988{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEC30854D180C3CF33778F0901C86A3,SHA256=CF7AAD6A5BF97D534BC0B36E83B1609C35BC79A787FB0693EFD050A1F7F9DD91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019723Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:46.816{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79C621ECC0DB1EB3B579524B6C14450B,SHA256=D4612FD87A9EAB1F8A663293AD2D98674C16C149F2C6F74F8F7DF13ABA928141,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019722Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:46.207{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A176-60D3-0303-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019721Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:46.191{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A176-60D3-0303-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019720Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:46.191{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A176-60D3-0303-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019719Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.988{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE0C04E1B858D7A97B2BE079834E262,SHA256=66F0630439D4E10C69FFD62EF68353C9274A40D2BD68B8590990C9B4B808DC59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019739Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.941{4DB9351A-A177-60D3-0603-00000000CF01}3032NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RMMJJSBVRE\System.DirectoryServices.ni.dll.auxMD5=31286E44B261B65582EC519B9203D318,SHA256=8B91498B66C0F3715D475DECC77B6DF189F14806F5E814B6C954B94CB7891F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019738Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.941{4DB9351A-A177-60D3-0603-00000000CF01}3032NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RMMJJSBVRE\System.DirectoryServices.ni.dllMD5=9200CABF15C545EAE0645372960FF7A7,SHA256=9A23D5A7D6A5803334B7E91A639E46D8E9DB85AA03559DCB2C7FEB3870699B6B,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019737Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:47.879{4DB9351A-A177-60D3-0603-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\bd8-0\System.DirectoryServices.dll2021-06-23 21:02:47.879 10341000x800000000000000019736Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.363{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A177-60D3-0603-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019735Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.332{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A177-60D3-0603-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019734Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.332{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A177-60D3-0603-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019733Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.285{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A177-60D3-0503-00000000CF01}5176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019732Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.269{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A177-60D3-0503-00000000CF01}5176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019731Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.269{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A177-60D3-0503-00000000CF01}5176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000019730Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.207{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A177-60D3-0403-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019729Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.192{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A177-60D3-0403-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019728Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.192{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A177-60D3-0403-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019727Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.098{4DB9351A-A176-60D3-0303-00000000CF01}6304NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\U8SLS5HAUR\Microsoft.VisualBasic.ni.dll.auxMD5=014370C2C340177B4F4B45C6DD281F3E,SHA256=BAD9FC63EA5C80D85009FBA7DDF699175A00466B7AEF1E802281635A6784E2CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019726Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.098{4DB9351A-A176-60D3-0303-00000000CF01}6304NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\U8SLS5HAUR\Microsoft.VisualBasic.ni.dllMD5=F7EB3BD0DF441921AE17140ACFFDD52A,SHA256=2F1B8DFDFA6E5FC41D66F88B9437FF0473BC713278E207DE63D485024731881D,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019725Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:47.051{4DB9351A-A176-60D3-0303-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18a0-0\Microsoft.VisualBasic.dll2021-06-23 21:02:47.051 10341000x800000000000000019756Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A178-60D3-0903-00000000CF01}6460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019755Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.707{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A178-60D3-0903-00000000CF01}6460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019754Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.707{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A178-60D3-0903-00000000CF01}6460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019753Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.644{4DB9351A-A178-60D3-0803-00000000CF01}4784NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PDSPYAGW31\System.Transactions.ni.dll.auxMD5=41647B6347DDA57E3341211880499114,SHA256=B75F63545EA42F8D312E5603146C43F773C9BD6526786795412BA4030E6C5090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019752Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.644{4DB9351A-A178-60D3-0803-00000000CF01}4784NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PDSPYAGW31\System.Transactions.ni.dllMD5=3E29FF5CA4A3450636E1196494C42CD5,SHA256=B557336FB30E51EFEFA7FDC886D84A32F0292F83030A52CC7913B8FEDFDC4428,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019751Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:48.613{4DB9351A-A178-60D3-0803-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\12b0-0\System.Transactions.dll2021-06-23 21:02:48.613 23542300x800000000000000019750Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.254{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68CA6FF180E3F19ED34F048146807DA3,SHA256=A645502F99D5B1DF5962180CB303E95FDCDEB99FD5A84498DFD293B9FCAB97E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019749Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.144{4DB9351A-9F2B-60D3-C400-00000000CF01}7765248C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F2B-60D3-C600-00000000CF01}4680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000019748Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.144{4DB9351A-9F2B-60D3-C400-00000000CF01}7765248C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F2B-60D3-C600-00000000CF01}4680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000019747Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.144{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A178-60D3-0803-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019746Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.113{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A178-60D3-0803-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019745Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.113{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A178-60D3-0803-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000019744Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:46.277{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61397-false10.0.1.12-8000- 10341000x800000000000000019743Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.051{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A178-60D3-0703-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019742Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.019{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A178-60D3-0703-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019741Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.019{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A178-60D3-0703-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019740Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.004{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB759303FCC590B5D283A2ABF16F77F8,SHA256=AB2F80BD4E66F00AC95B18D3EA7FA915980E19D8034084A2B01E4505138EA721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019761Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:49.754{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=204210C552E51A4B767F849A7290EE77,SHA256=D24A95FAAFE2F2BABD819239B24770011C326C71D6A9E78F77B8A7AE97E25702,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019760Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:49.098{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A179-60D3-0A03-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019759Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:49.082{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A179-60D3-0A03-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019758Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:49.082{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A179-60D3-0A03-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019757Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:49.019{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045FB30CA09E55B0BE293C3A9E045EF7,SHA256=761A145A82DB5144875EB0300E8D6361E7F30CA3D94DEB285B852A8F70600851,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019786Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.968{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17A-60D3-0F03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019785Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.953{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A17A-60D3-0F03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019784Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.953{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17A-60D3-0F03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019783Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.874{4DB9351A-A17A-60D3-0E03-00000000CF01}6512NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\A85344AH8L\System.Configuration.Install.ni.dll.auxMD5=66A5D6A518D673D91B07970E39A615C9,SHA256=48CDB45F5BB50657F1E096A1A785CF6603009B01A3D723F81A8E3E4284233E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019782Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.874{4DB9351A-A17A-60D3-0E03-00000000CF01}6512NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\A85344AH8L\System.Configuration.Install.ni.dllMD5=B755C1222F499DEC3761B2043A8AD309,SHA256=0D5ABE3783AC66E16D0158045499C4F46E38E994E93A1C860BB040EDACA85FF0,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019781Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:50.859{4DB9351A-A17A-60D3-0E03-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1970-0\System.Configuration.Install.dll2021-06-23 21:02:50.859 10341000x800000000000000019780Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17A-60D3-0E03-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019779Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.671{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A17A-60D3-0E03-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019778Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.671{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17A-60D3-0E03-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019777Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.469{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17A-60D3-0D03-00000000CF01}4980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019776Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.437{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A17A-60D3-0D03-00000000CF01}4980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019775Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.437{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17A-60D3-0D03-00000000CF01}4980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019774Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.374{4DB9351A-A17A-60D3-0C03-00000000CF01}3860NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MTYPYA5NLE\CustomMarshalers.ni.dll.auxMD5=A2AB2FCA847D5A56A6CBC60C30746E57,SHA256=A2BAAB933EB75B68F913C983F22A8940DF435BF948775140CEDE51AC4095A368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019773Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.374{4DB9351A-A17A-60D3-0C03-00000000CF01}3860NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MTYPYA5NLE\CustomMarshalers.ni.dllMD5=AF7ADECB9CC4D188412413B4CA9E0E61,SHA256=46AB95E9C4B39D1D65A08ED2047903F2A03D266260234F58EBC7F6AC3246E111,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019772Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:50.359{4DB9351A-A17A-60D3-0C03-00000000CF01}3860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f14-0\CustomMarshalers.dll2021-06-23 21:02:50.359 10341000x800000000000000019771Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.265{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17A-60D3-0C03-00000000CF01}3860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019770Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.234{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17A-60D3-0C03-00000000CF01}3860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019769Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.234{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17A-60D3-0C03-00000000CF01}3860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019768Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.156{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17A-60D3-0B03-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019767Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.140{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17A-60D3-0B03-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019766Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.124{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17A-60D3-0B03-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019765Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.062{4DB9351A-A179-60D3-0A03-00000000CF01}4392NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Q4JCG2CG8M\System.Web.Services.ni.dll.auxMD5=A73316AF3F9FC8940FDDAA9FE1D75E84,SHA256=9B1EBA9891AFA6A63EA266F2A0DF0A406A8DCC9D0B831A8A651813CACB592E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019764Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.062{4DB9351A-A179-60D3-0A03-00000000CF01}4392NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Q4JCG2CG8M\System.Web.Services.ni.dllMD5=F80E6DD1B9694714BA86689D897A9D2B,SHA256=A3E8DB2AB8D68211AA2C81AEACA3F9E4DFB9A6EB5DA11EF8DFEA9D5930F289A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019763Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.019{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128B0D7CED7F7C686A0B7D3CE9248351,SHA256=8AFD51410C1BB632A64FAD0E611AA41DD08A079D45954071247AD694ECE95C5E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019762Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:49.988{4DB9351A-A179-60D3-0A03-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1128-0\System.Web.Services.dll2021-06-23 21:02:49.988 23542300x800000000000000019791Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:51.282{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60CA59A944F52D8D4CEE08392665B5C5,SHA256=BEB44D005F4998E03856862B2BAD7910019DA1913FE3C8928503145093F5BD16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019790Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:51.171{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17B-60D3-1003-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019789Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:51.156{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17B-60D3-1003-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019788Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:51.156{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17B-60D3-1003-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019787Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:51.046{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AFBB240B0A0C5F56431D8B18B913B7,SHA256=0E3D89C138B96519E3A96199DFCAA65C974EF59BD37E4DE740F23896BF19A348,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019801Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.610{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17C-60D3-1203-00000000CF01}6732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019800Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.593{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A17C-60D3-1203-00000000CF01}6732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019799Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.593{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17C-60D3-1203-00000000CF01}6732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019798Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.296{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D42703D1932D0186B43C4980D6D4D67,SHA256=716C589F94D4CFC43D61820CB788C88F538D896AAC666163A66167E832A07834,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019797Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.296{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17C-60D3-1103-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019796Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.265{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A17C-60D3-1103-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019795Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.265{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17C-60D3-1103-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019794Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.171{4DB9351A-A17B-60D3-1003-00000000CF01}4116NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VA4USU5A5W\System.Xaml.ni.dll.auxMD5=31606CBBAA0EE6736F8A987EF1749068,SHA256=39E3E727CB4F1038B8C7187E39892B2CD0B013665036C10FC2A4A9AC0DD10E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019793Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.171{4DB9351A-A17B-60D3-1003-00000000CF01}4116NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VA4USU5A5W\System.Xaml.ni.dllMD5=7C975A8EACFF62312E2D02A8376A8239,SHA256=7303B52675CA2FA78C41D957924264E7EA216CE93C65516A8B22B61465F4397D,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019792Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:52.125{4DB9351A-A17B-60D3-1003-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1014-0\System.Xaml.dll2021-06-23 21:02:52.125 23542300x800000000000000019811Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.374{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F0B3FB47611753919C58FD30A3ADC0,SHA256=95146D2A2A976B3067C8465AAACA48A7D75705BC534E0045520630AA7D8D7983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019810Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.281{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E85DC99B87F8F6148D1D4D7AFAC2650,SHA256=01CBE33B1FD7E198A7D8EAB8AAE1C85D7AF941454BA125F4A585660F828F9E37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019809Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.218{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A17D-60D3-1303-00000000CF01}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019808Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.203{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019807Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.203{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019806Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.203{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019805Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.203{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019804Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.203{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A17D-60D3-1303-00000000CF01}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019803Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.203{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A17D-60D3-1303-00000000CF01}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019802Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.078{4DB9351A-A17D-60D3-1303-00000000CF01}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019839Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.944{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17E-60D3-1603-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019838Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.929{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A17E-60D3-1603-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019837Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.929{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17E-60D3-1603-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019836Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.897{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1281419817301D9DA09B0FC4997C22AA,SHA256=374B24C442B2A975F71D8E5035B21D61299474BC27DB66F8A84FAE10707F3775,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019835Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A17E-60D3-1503-00000000CF01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019834Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019833Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019832Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019831Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019830Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17E-60D3-1503-00000000CF01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019829Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A17E-60D3-1503-00000000CF01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019828Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.721{4DB9351A-A17E-60D3-1503-00000000CF01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019827Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.819{4DB9351A-A17C-60D3-1203-00000000CF01}6732NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3U6SHY6IZ9\WindowsBase.ni.dll.auxMD5=1092B21F673909592A952203B9783282,SHA256=C41AFD7B7F108DF0F94A44DE4789DD5977EB4DCC8C1D1A62759EB1A6B9F43331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019826Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.819{4DB9351A-A17C-60D3-1203-00000000CF01}6732NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3U6SHY6IZ9\WindowsBase.ni.dllMD5=F8DF879CEBFABA5BB690C96F6647E400,SHA256=4543F38D30F9276474F9D95A1A7980D4B8DC42876D9C37C24488821017CDB659,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019825Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:54.741{4DB9351A-A17C-60D3-1203-00000000CF01}6732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a4c-0\WindowsBase.dll2021-06-23 21:02:54.741 23542300x800000000000000019824Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.375{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B14E228E858438D33DB1660364453C,SHA256=B135B81B06B64DB2FE6A0F73507134E18A099E9EB911AD69FA898188BEC1608E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019823Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.569{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61399-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000019822Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.569{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61399-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000019821Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.163{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61398-false10.0.1.12-8000- 10341000x800000000000000019820Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.218{4DB9351A-A17D-60D3-1403-00000000CF01}71242244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019819Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A17D-60D3-1403-00000000CF01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019818Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019817Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019816Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019815Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019814Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A17D-60D3-1403-00000000CF01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019813Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A17D-60D3-1403-00000000CF01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019812Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.875{4DB9351A-A17D-60D3-1403-00000000CF01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019864Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.952{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39EB25A67CBF7ABBC174223E485574F0,SHA256=ED560153AA04D7FD03AB2F66DBC2F5EF998241586AC6960EBEAB06F1E2A087A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019863Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.937{4DB9351A-A17F-60D3-1A03-00000000CF01}2636NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0FZ81IDWXL\System.Xml.Linq.ni.dll.auxMD5=61E8A8E3E699A8059F5FA65524029959,SHA256=95C52501934AA36E9D0AF3EA88BA021548E16D7033393C75EDBDD0583DD60CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019862Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.937{4DB9351A-A17F-60D3-1A03-00000000CF01}2636NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0FZ81IDWXL\System.Xml.Linq.ni.dllMD5=AA90C6B3EA58C5485906FE122BC782CC,SHA256=65A337C5A67DA88E01B91068F0A6BD7AA15184B2C9E2F73D276B2D1307F0EC25,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019861Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:55.921{4DB9351A-A17F-60D3-1A03-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a4c-0\System.Xml.Linq.dll2021-06-23 21:02:55.921 10341000x800000000000000019860Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A17F-60D3-1903-00000000CF01}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019859Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019858Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019857Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019856Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019855Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17F-60D3-1903-00000000CF01}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019854Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A17F-60D3-1903-00000000CF01}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019853Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.642{4DB9351A-A17F-60D3-1903-00000000CF01}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019852Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.702{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17F-60D3-1A03-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019851Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.687{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A17F-60D3-1A03-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019850Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.687{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17F-60D3-1A03-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019849Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.538{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17F-60D3-1803-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019848Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.507{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17F-60D3-1803-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019847Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.507{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17F-60D3-1803-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019846Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.444{4DB9351A-A17F-60D3-1703-00000000CF01}7100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\V7W2GH57A6\System.Net.Http.ni.dll.auxMD5=AC82C3BB4D68CD298ECB6826267CE6EE,SHA256=D1C3FCBA0E71F8909B7C33FB0ED4696908F0C0CD53E307E78C14648434CF462A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019845Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.429{4DB9351A-A17F-60D3-1703-00000000CF01}7100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\V7W2GH57A6\System.Net.Http.ni.dllMD5=D9A222040D5C3C5602CB1DBFEE5A9340,SHA256=228F92CA14A294CAE5048BB505B64902B720A36864A4161332D207622ACDE7CF,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019844Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:55.413{4DB9351A-A17F-60D3-1703-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bbc-0\System.Net.Http.dll2021-06-23 21:02:55.413 23542300x800000000000000019843Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.397{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5179E9D164CA020A5BED5DA62C133C96,SHA256=58BB6C0BCEAED302F0E58262758F37100CED590F6F10D003DF8E17ECDD2B3A27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019842Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.069{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17F-60D3-1703-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019841Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.054{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17F-60D3-1703-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019840Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.054{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17F-60D3-1703-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019877Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.827{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C1EE506BB9DA5CC7A3C64B2B5A08634F,SHA256=0EFEB4F6F0BFF9C29F679F5DCB696EA59B53D52560EE6EB28CEA1BFDFE114C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019876Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.827{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1C1658BAB21FEAC514ECED6F5E9DA1C1,SHA256=96B94EDD0ADC5F13BB317864D5699589BBF2527DED4FB84359F14E2683FEC8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019875Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.643{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262531D7E38226234C15404BC7373856,SHA256=53938BCD9A60D4DF61DC566C15CAB529B1B0069A82831EEBF7DED9AF34981663,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019874Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.546{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A180-60D3-1C03-00000000CF01}6320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019873Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.515{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A180-60D3-1C03-00000000CF01}6320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019872Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.515{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A180-60D3-1C03-00000000CF01}6320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000019871Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:02:56.203{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x800000000000000019870Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:02:56.203{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9F667F05-E98B-4538-82BE-6312C93AD303\Config SourceDWORD (0x00000001) 13241300x800000000000000019869Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:02:56.203{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9F667F05-E98B-4538-82BE-6312C93AD303\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9F667F05-E98B-4538-82BE-6312C93AD303.XML 10341000x800000000000000019868Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.031{4DB9351A-A17F-60D3-1903-00000000CF01}69086604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019867Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.015{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A180-60D3-1B03-00000000CF01}5384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019866Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.999{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A180-60D3-1B03-00000000CF01}5384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019865Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.999{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A180-60D3-1B03-00000000CF01}5384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000019906Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.702{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A181-60D3-2103-00000000CF01}7036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019905Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.702{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CA21E0D91C8F82A3DF9D1DF96D7BBD,SHA256=8EEDD9D2B0F9E64D5C0B53FFEFEC197EFF0C2A869966892CDDDA739A6BFF0BD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019904Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.687{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A181-60D3-2103-00000000CF01}7036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019903Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.687{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A181-60D3-2103-00000000CF01}7036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019902Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.546{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A181-60D3-2003-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019901Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.499{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A181-60D3-2003-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019900Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.499{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A181-60D3-2003-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000019899Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.499{4DB9351A-A181-60D3-1D03-00000000CF01}53486928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019898Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.438{4DB9351A-A181-60D3-1F03-00000000CF01}6556NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SZAQ2XLZUQ\System.Runtime.WindowsRuntime.UI.Xaml.ni.dll.auxMD5=D4E5F3E526F65AB1C0B43938D624EA47,SHA256=3F23BFC8C144DBA32D1F86666465F421A00835DEA0D7E468BA33935838716C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019897Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.421{4DB9351A-A181-60D3-1F03-00000000CF01}6556NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SZAQ2XLZUQ\System.Runtime.WindowsRuntime.UI.Xaml.ni.dllMD5=93A40B51D63FFDAB85AC03509209B0C3,SHA256=94A3DE19B46B9B1F6FD4FC8B159737B667A68ECB51E83E246F9497E5C569BB24,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019896Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:57.406{4DB9351A-A181-60D3-1F03-00000000CF01}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\199c-0\System.Runtime.WindowsRuntime.UI.Xaml.dll2021-06-23 21:02:57.406 10341000x800000000000000019895Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.281{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A181-60D3-1F03-00000000CF01}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019894Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.252{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A181-60D3-1F03-00000000CF01}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019893Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.252{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A181-60D3-1F03-00000000CF01}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019892Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.156{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A181-60D3-1E03-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019891Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.140{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A181-60D3-1E03-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019890Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.124{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A181-60D3-1E03-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000019889Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A181-60D3-1D03-00000000CF01}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019888Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019887Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019886Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019885Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019884Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A181-60D3-1D03-00000000CF01}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019883Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A181-60D3-1D03-00000000CF01}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019882Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.063{4DB9351A-A181-60D3-1D03-00000000CF01}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019881Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.031{4DB9351A-A180-60D3-1C03-00000000CF01}6320NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CROYBTCQJO\System.Runtime.WindowsRuntime.ni.dll.auxMD5=F834E5C9A7866887362FB9213F18DC0D,SHA256=A625FB887C34995095C4FA4BA4267799C8846641366006B98D993563ADFC8BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019880Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.015{4DB9351A-A180-60D3-1C03-00000000CF01}6320NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CROYBTCQJO\System.Runtime.WindowsRuntime.ni.dllMD5=27EF880C773B45568FC308A312FED2EC,SHA256=F803E4273F8CC85B0C84F0B1EB86568E7210DA1A1E8EF05D1F019E833250E519,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019879Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.999{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D204971838DB124BF068481FA0B2AEBA,SHA256=6C0D784C9D87BEA1DE14F57971D2AF5479372F3F58128C8B13012EB8B0CC411A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019878Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:56.999{4DB9351A-A180-60D3-1C03-00000000CF01}6320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18b0-0\System.Runtime.WindowsRuntime.dll2021-06-23 21:02:56.999 10341000x800000000000000019926Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1500-00000000CF01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019925Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1500-00000000CF01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019924Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1500-00000000CF01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019923Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.577{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5FECFFAB70B071FF7BE4FFF5135614E,SHA256=EC7428885642386F98793541CB9BA9735C8C1B868985B3D4031F06D18F8FA31F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019922Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.268{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61402-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000019921Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.268{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61402-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000019920Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.261{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61401-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000019919Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.261{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61401-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000019918Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.242{4DB9351A-9DDD-60D3-0D00-00000000CF01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61400-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 354300x800000000000000019917Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.242{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61400-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 10341000x800000000000000019916Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.359{4DB9351A-A181-60D3-2203-00000000CF01}70643740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019915Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.124{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A181-60D3-2203-00000000CF01}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019914Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.109{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019913Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.109{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019912Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.109{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019911Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.109{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019910Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.109{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A181-60D3-2203-00000000CF01}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019909Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.109{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A181-60D3-2203-00000000CF01}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019908Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.970{4DB9351A-A181-60D3-2203-00000000CF01}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019907Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.062{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8B9BECB2EB242D6793BA2C414012CE,SHA256=2F2761AA2D431C8112BD37AF2D4BB89FA49F8C005A7FEFE95C1AADA4685EB2F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019941Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A183-60D3-2403-00000000CF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019940Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019939Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019938Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019937Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019936Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A183-60D3-2403-00000000CF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019935Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A183-60D3-2403-00000000CF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019934Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.672{4DB9351A-A183-60D3-2403-00000000CF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019933Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.609{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C262C23091B0F245AB18BD3A3C10D5,SHA256=6239DECB4B78E37C21BD629086295782A5A08E95AB7668D51DD0CAC2E1F54CF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019932Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.546{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A183-60D3-2303-00000000CF01}4456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019931Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.531{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A183-60D3-2303-00000000CF01}4456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019930Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.531{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A183-60D3-2303-00000000CF01}4456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019929Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.437{4DB9351A-A181-60D3-2103-00000000CF01}7036NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SFAE3EP180\System.Runtime.Serialization.ni.dll.auxMD5=3D84DB165ECCE73AE3BD3D388DF02345,SHA256=CA86DF1C03C0304B4956A0EDE7A597A323936886ED8927D1E4D2869EE1CBD1A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019928Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.437{4DB9351A-A181-60D3-2103-00000000CF01}7036NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SFAE3EP180\System.Runtime.Serialization.ni.dllMD5=B17184CBA4F7BA09DAA13DE7947AFAB7,SHA256=61FE390E5BC862993C2D101BACB76CB487DC9C161B3A0AF08EFAC87EA2E4776C,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019927Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:59.359{4DB9351A-A181-60D3-2103-00000000CF01}7036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b7c-0\System.Runtime.Serialization.dll2021-06-23 21:02:59.359 23542300x800000000000000019948Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.609{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DF6EA952F0A1920501F14F6C665F38,SHA256=FB1AABEB6D7247B65E2357D50AB5A873248AC583093CF6F7E6EB0E673C38243B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019947Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.531{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12DEB75FDA6303E5F7CC9574DB369115,SHA256=EF90ADB6278B2F309ECD2FEB534F37F0DAE2C87ACD060088EAB4C751889B3911,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019946Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.115{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61403-false10.0.1.12-8000- 10341000x800000000000000019945Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.452{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A184-60D3-2503-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019944Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.437{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A184-60D3-2503-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019943Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.437{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A184-60D3-2503-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019942Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.296{4DB9351A-9DDB-60D3-0B00-00000000CF01}628840C:\Windows\system32\lsass.exe{4DB9351A-9DD8-60D3-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000019955Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:01.640{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5976CFDC5E8D84F08928C6BBC82676EC,SHA256=42165B69A82CB01B250ED41FC6F92132123E04852698CAC83990A870DCA91B98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019954Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.357{4DB9351A-9DD8-60D3-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61406-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local445microsoft-ds 354300x800000000000000019953Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.357{4DB9351A-9DD8-60D3-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61406-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local445microsoft-ds 354300x800000000000000019952Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.252{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61405-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019951Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.252{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61405-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019950Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.244{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61404-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000019949Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.244{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61404-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 23542300x800000000000000019956Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:02.671{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4C3532F4E679F0F1D84F0A8451B5D5,SHA256=F81112912A927AE44002BECC8AA175CC2B66900AB44C9024195CD80FC3F8CF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019957Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:03.687{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DC8D9363805161D1E4B110777FB48E,SHA256=0117062EEB719FD4A15D22254373A5D771672E5E4F0DCED5223E9A1E34A2A064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019959Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:04.687{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B023F65CBBF3C732A12FBF1D88CA1C2C,SHA256=EF0F3ADF08BE3D7F814F8D0369FA46C2F047F19DBD863DC24569035F167FD834,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019958Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:03.194{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61407-false10.0.1.12-8000- 23542300x800000000000000019960Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:05.734{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6075BFFAB08B3D8E6FF5E3BAEAD0C203,SHA256=BACA9220F71C3166F9CF47FC12F552266B034E831FA982095A38C194642200BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019962Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:06.765{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCAE1A7E67DF8DB4AD09AA7DBD45004,SHA256=D1E99286AEC2EB094CF06253CD8CB05B0E991A1974753F5FFA9435D7F4C08905,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000019961Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:06.468{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76873-0x29eda44d) 23542300x800000000000000019963Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:07.905{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42E02999E534B94D9C0A66C763A733E,SHA256=87EA53E12E41989842263272AE9CA5299ECBD25E265ACF3463EC854A9A06963C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019964Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:08.937{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA219221A9028EC34851AC96F3AAA1E,SHA256=AC4103B994C287A23F99269335C065155C57A6597E42CE3E0C20174E0A73EB8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019966Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.937{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D629FB6CB3BBD0DC103AE01445943776,SHA256=014773955F2770594C10456C56301390D73068C4C01806DBB2980E0150B39469,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019965Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:08.209{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61408-false10.0.1.12-8000- 23542300x800000000000000019969Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:10.938{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B175E43A118CC1F7BD018E619872A4A9,SHA256=188984E658D4A368CBB7D30D39125AAEBC1069E452EE96D7CDE1B011B9610CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019968Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:10.750{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3649BB154A1CE5FA7314DDE40796892B,SHA256=02CC8DF31F720C4493C99A02DC5D4BBAE92F73AFDD5301CC0CD2B985C62AA247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019967Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:10.750{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B23744CBD1989AAB272ED10B32DCF15,SHA256=675F89764E82B76270758B5F1BB0047833C0F01AFCED5A5E7050146BF88F3775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019982Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:11.953{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F583FB92A7E1CE0DDA2E4BDA4DE84D3E,SHA256=20D3A6FD32B6867DF78AD822F7B42F73E5083250C9FA184D1195D8D46672B4F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019981Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:11.719{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A18F-60D3-2603-00000000CF01}6152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019980Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:11.703{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A18F-60D3-2603-00000000CF01}6152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019979Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:11.703{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A18F-60D3-2603-00000000CF01}6152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019978Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:11.422{4DB9351A-A184-60D3-2503-00000000CF01}6136NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LJFM4CRZNW\System.ServiceModel.ni.dll.auxMD5=BC5B8E9098BCB0FBD5B0BB3F67D6FA39,SHA256=EBC59D5A5922EAA498E84B02C3F7179FC2CBABDB24D64995DDC1D46FFB0939A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019977Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:11.422{4DB9351A-A184-60D3-2503-00000000CF01}6136NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LJFM4CRZNW\System.ServiceModel.ni.dllMD5=17015EDD211E2B3F88EA4398394359C3,SHA256=9DB2318A0C2A57C66DA61C7D698A02480B64D635E332EEBD9CE461F7F65B4476,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000019976Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.794{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local57466- 354300x800000000000000019975Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.794{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local57466-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domain 354300x800000000000000019974Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.789{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61410-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local49666- 354300x800000000000000019973Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.789{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61410-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local49666- 354300x800000000000000019972Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.788{4DB9351A-9DDD-60D3-0D00-00000000CF01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61409-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 354300x800000000000000019971Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.788{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61409-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 11241100x800000000000000019970Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:11.047{4DB9351A-A184-60D3-2503-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\17f8-0\System.ServiceModel.dll2021-06-23 21:03:11.047 23542300x800000000000000019991Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:12.954{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9450FD475E58CC1B294E1415255B73E5,SHA256=DB39E0C3C5C249A3E337C9F9C0AF9AAC8CFA3205FC7C8A9F91419018D1E935FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019990Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:12.391{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A190-60D3-2703-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019989Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:12.375{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A190-60D3-2703-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019988Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:12.375{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A190-60D3-2703-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000019987Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:10.373{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local50420- 354300x800000000000000019986Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:10.373{4DB9351A-9DDD-60D3-1400-00000000CF01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local50420-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domain 354300x800000000000000019985Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.795{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local65524- 354300x800000000000000019984Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.795{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-663.attackrange.local65524-false10.0.1.14win-dc-663.attackrange.local53domain 23542300x800000000000000019983Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:12.094{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3649BB154A1CE5FA7314DDE40796892B,SHA256=02CC8DF31F720C4493C99A02DC5D4BBAE92F73AFDD5301CC0CD2B985C62AA247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019993Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.969{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965E533EA0FC50F61AEC8C587F9B4B6A,SHA256=7080A33F73C48F4EFEF86B2E251270B09B9334E7D89205B516E9EA5137E02AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019992Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.391{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=440D7219ED3C23F4EB911F17150EF212,SHA256=BE61D73C2CBE7A19AEA900A306C93C9AFBA02AA23ED3A0C3E610805C7B9096B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020022Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.407{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local50785- 354300x800000000000000020021Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.406{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local57200- 354300x800000000000000020020Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.405{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local52240- 354300x800000000000000020019Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.405{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local58495- 354300x800000000000000020018Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.404{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local60288- 354300x800000000000000020017Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.402{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local49955- 354300x800000000000000020016Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.401{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local55452- 354300x800000000000000020015Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.400{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53339- 354300x800000000000000020014Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.399{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local59726- 354300x800000000000000020013Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.398{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local57767- 354300x800000000000000020012Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.397{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local56203- 354300x800000000000000020011Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.394{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local54560- 354300x800000000000000020010Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.392{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local56310- 354300x800000000000000020009Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.390{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local54590- 354300x800000000000000020008Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.389{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53416- 354300x800000000000000020007Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.388{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local52659- 354300x800000000000000020006Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.388{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local59384- 354300x800000000000000020005Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.386{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53337- 354300x800000000000000020004Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.385{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local56358- 354300x800000000000000020003Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.383{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local52369- 354300x800000000000000020002Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.382{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local59469- 354300x800000000000000020001Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.381{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local49867- 354300x800000000000000020000Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.381{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local52389- 354300x800000000000000019999Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.379{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local50925- 354300x800000000000000019998Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.379{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local58818- 354300x800000000000000019997Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.375{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local49963- 354300x800000000000000019996Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.374{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local49827- 354300x800000000000000019995Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.373{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local65524- 23542300x800000000000000019994Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:15.000{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120E8C8C7C06BA2BCFFD42BD7990D366,SHA256=7531DF7FD5EB56374F2E02507C832A60FFB024986A85ACC62A86DD728BD7C186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020024Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:16.329{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DD59D3B813616A2E192A0CB9D3D8D5,SHA256=8A5EDDB98C120E9779F17A460BD587DE599E60F3F0FC2DF6BDACA0E1D899C6DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020023Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:14.179{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61411-false10.0.1.12-8000- 23542300x800000000000000020025Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:17.360{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E934F89860735420B4229BD0D40BC6F3,SHA256=ECC723028A024A7CD0D4FA37CC26E47DEFDB3BE4BA2292C79C39AB739BA86A64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020027Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:18.938{4DB9351A-A190-60D3-2703-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1418-0\PresentationCore.dll2021-06-23 21:03:18.938 23542300x800000000000000020026Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:18.360{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21731DAA6016669F2DDB051073201033,SHA256=98DE5F89C4AFDE7B5F6C284B2FCF7B9A086248A16ED0DB337AAEF1B6B75FF72F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020033Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.563{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A197-60D3-2803-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020032Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.547{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A197-60D3-2803-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020031Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.547{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A197-60D3-2803-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020030Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.378{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F4943A78C7221CBA6D6B7BB995E1E4,SHA256=9917C93E880702C96F89337BA5B235ED4397F56BCE098762F88D3F4618515CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020029Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.219{4DB9351A-A190-60D3-2703-00000000CF01}5144NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HFNMWU5YPL\PresentationCore.ni.dll.auxMD5=09F710A079AEC3D8687367D47C6AD79D,SHA256=A7657195592D48E46ADFAC5E028396D9181FD81FBCA53AAC7DF3014F20CDA284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020028Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.219{4DB9351A-A190-60D3-2703-00000000CF01}5144NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HFNMWU5YPL\PresentationCore.ni.dllMD5=65590C4A2888D0BB9BC6F60898796305,SHA256=27FED9E1D1D1D410A4F7F3439C0B8C7A5D061766BE9349FFADDDBBB60858FFEE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000020039Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:20.735{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03FFF3FA5A642A800CAB9BDFF83CC1E2,SHA256=3B9BA50503477D961BE38333B35B870412A5830F340BA4DD47CAD9B32E6A2F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020038Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:20.735{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C4D0E2FFA9EE6F48EEABBC37511676B,SHA256=6290478ECB5FEE374C8827686CD7478D312CA2D589E4978F7CD5C317AF9AB55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020037Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:20.391{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5099452D649B968BE30457055493B2E,SHA256=96F10064EE1652D7742817D0B195FFDCFE05572D7ABCDC367EDC9C1F77530B22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020036Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:20.172{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A198-60D3-2903-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020035Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:20.141{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A198-60D3-2903-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020034Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:20.141{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A198-60D3-2903-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000020041Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.210{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61412-false10.0.1.12-8000- 23542300x800000000000000020040Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:21.516{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F88912D9D1FF6943DBC67F84DD578A,SHA256=E0B17C3C94FA7377F9FB82EDFDA7FF679D6E781B76DBA8017002F7FA8F38BE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020042Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:22.610{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B78F933E982B843802D8560A8EBC4F,SHA256=77720BE2F23B4CFFB24052915177611CF91C99A974847F7883664905D904C35E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020043Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:23.610{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D95D4D1CE148596B0255C3D0A422058,SHA256=92625C4CBB0EC4DC7C14E4891AAD303882F57C62098D14A2B58A28E736D5F4B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020044Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:24.703{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61E8112DFE95B2280F90D39D51AB797,SHA256=6FB0C3D52017ADAD2B16CCA2ACEF107DE68719AEADCBAB66EAA0103515553692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020045Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:25.750{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD500DA49B27AEACAE95DD23AD601FCB,SHA256=993B020C2A11E1881C5198D3B9D33A60FF2C145A42A3D020BFAF7262EF4FE9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020048Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:26.750{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336301D22252CEE6649853DB08FC911E,SHA256=C23A18174AECECD456F4F77AF8023B83F320477AD9246E97AA271E3FC4F870B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020047Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:25.257{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61413-false10.0.1.12-8000- 23542300x800000000000000020046Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:26.125{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C55377B6E01541D08CBA49948C91AE25,SHA256=B4F042BF166C4D2B49070DCEE216B0A8B4F9990CA0DAB8AF68E019C85B041191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020050Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:27.766{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3AF4DB7BEA50BF0EC0573DCD3FE0478,SHA256=3B1DD58657A654C5E8FEF45CD27C0C1D56F6EC820AAFFB2E604F7C2277600E98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020049Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:27.266{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045996C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1000-00000000CF01}104C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020052Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:28.797{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881431F41D774F6D6AE7B026EA3E29BB,SHA256=3708C29507A7EB7580213D48395AB4DCF2A21BDE6E19DE0FA28A2F94B9B07AE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020051Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:26.882{4DB9351A-9DDD-60D3-1200-00000000CF01}416C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000020053Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:29.813{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE21EA76CB06F62D4D35F9FDF9E38E4,SHA256=A6E49D2B3D10A8E4907121E5F9BC17593CAADE3FD16121C48748D7B167BD770F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020060Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.909{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A2-60D3-2A03-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020059Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.894{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A2-60D3-2A03-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020058Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.894{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A2-60D3-2A03-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020057Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.862{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CE415D14DCB7863CF9038983D67E84,SHA256=744FA084996E2F4E639D2AA15F1DB19F92B9571DDEB1EBCC3096462BEAAA58B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020056Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.565{4DB9351A-A198-60D3-2903-00000000CF01}5892NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3UA6AGWATA\PresentationFramework.ni.dll.auxMD5=8F1FD4778E91747A58145154E17EA5AF,SHA256=5F51126070FAC3B2FE9EFFC6F556531FCF6A24E2CDABA5256662A878DFC9E787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020055Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.565{4DB9351A-A198-60D3-2903-00000000CF01}5892NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3UA6AGWATA\PresentationFramework.ni.dllMD5=4EB0ACB2849F125982D53B74DBA06226,SHA256=BAB44F496D0350D8D73DD0CC0D493CC1C5F26C6A4959F50CBBDA7560E58A220E,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000020054Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:30.159{4DB9351A-A198-60D3-2903-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1704-0\PresentationFramework.dll2021-06-23 21:03:30.159 23542300x800000000000000020075Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.940{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D524089EAC3C83530DF0C017011D8EB,SHA256=3FF63511DD69335CB909B203A0117B1DA21814AAB65A1B1CAAC9D6AECC6460CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020074Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.909{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28C5202C9B5D84F66FA4AC458DF62E43,SHA256=916474E125A5FE5C59F687DB82F93035E8C2C258A9117C9B21AABA88FDABB72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020073Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.909{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03FFF3FA5A642A800CAB9BDFF83CC1E2,SHA256=3B9BA50503477D961BE38333B35B870412A5830F340BA4DD47CAD9B32E6A2F7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020072Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.831{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A3-60D3-2D03-00000000CF01}5568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020071Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.815{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A3-60D3-2D03-00000000CF01}5568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020070Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.815{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A3-60D3-2D03-00000000CF01}5568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020069Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.503{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A3-60D3-2C03-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020068Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.487{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A3-60D3-2C03-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020067Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.487{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A3-60D3-2C03-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020066Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.440{4DB9351A-A1A3-60D3-2B03-00000000CF01}5516NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I84BRTBVVB\PresentationFramework.Aero2.ni.dll.auxMD5=F91789F604526CA841F28F37B68C5E54,SHA256=D5B2D5F63E8CE0DF123D59D3D124C6F6BB12EC49088A40C7E9B911D4428E0027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020065Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.440{4DB9351A-A1A3-60D3-2B03-00000000CF01}5516NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I84BRTBVVB\PresentationFramework.Aero2.ni.dllMD5=CA8219EEAD330BD35652A64EF3106037,SHA256=AB51A461375A9F6BD2859F45C7E13E080D1DAD15800AD9EA1958D89507A59BA9,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000020064Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:31.409{4DB9351A-A1A3-60D3-2B03-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\158c-0\PresentationFramework.Aero2.dll2021-06-23 21:03:31.409 10341000x800000000000000020063Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.050{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A3-60D3-2B03-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020062Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.018{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A3-60D3-2B03-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020061Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.018{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A3-60D3-2B03-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020079Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:32.972{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7A8F7492CF768930BF15636ABA826A,SHA256=DA94E9B2FEF6AC487CEF03B51B9F516373C488E4D8B78B9C67611DE5412EF73E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020078Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.260{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61414-false10.0.1.12-8000- 10341000x800000000000000020077Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:32.737{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020076Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:32.737{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020087Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.972{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07765F12B9C0989413F4CBE791CAAEB,SHA256=2210CE7D89ADC40795C3FA906027371FAACCFB094A5FCFA93BE125DB1DB03ADA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020086Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.690{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A5-60D3-2F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020085Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.675{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A5-60D3-2F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020084Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.675{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A5-60D3-2F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020083Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.612{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A5-60D3-2E03-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020082Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.597{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A5-60D3-2E03-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020081Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.597{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A5-60D3-2E03-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020080Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:33.440{4DB9351A-A1A3-60D3-2D03-00000000CF01}5568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15c0-0\Microsoft.ActiveDirectory.Management.dll2021-06-23 21:03:33.425 11241100x800000000000000020110Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:34.972{4DB9351A-A1A6-60D3-3503-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\16c4-0\Microsoft.GroupPolicy.Management.Interop.dll2021-06-23 21:03:34.972 10341000x800000000000000020109Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.893{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3503-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020108Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.878{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3503-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020107Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.878{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3503-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020106Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.831{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3403-00000000CF01}6924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020105Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.815{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3403-00000000CF01}6924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020104Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.815{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3403-00000000CF01}6924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020103Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:34.784{4DB9351A-A1A6-60D3-3303-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1be8-0\Microsoft.GroupPolicy.Management.dll2021-06-23 21:03:34.784 10341000x800000000000000020102Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.643{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3303-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020101Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.628{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3303-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020100Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.628{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3303-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020099Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.612{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28C5202C9B5D84F66FA4AC458DF62E43,SHA256=916474E125A5FE5C59F687DB82F93035E8C2C258A9117C9B21AABA88FDABB72F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020098Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.581{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3203-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020097Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.565{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3203-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020096Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.565{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3203-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020095Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:34.534{4DB9351A-A1A6-60D3-3103-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1004-0\Microsoft.GroupPolicy.ServerAdminTools.GPOAdminGrid.dll2021-06-23 21:03:34.534 10341000x800000000000000020094Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.472{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3103-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020093Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.456{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3103-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020092Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.456{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3103-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020091Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.409{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3003-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020090Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.394{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3003-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020089Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.394{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3003-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020088Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:34.331{4DB9351A-A1A5-60D3-2F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1980-0\Microsoft.GroupPolicy.Targeting.dll2021-06-23 21:03:34.331 10341000x800000000000000020152Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.972{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-4003-00000000CF01}6724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020151Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.956{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-4003-00000000CF01}6724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020150Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.956{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-4003-00000000CF01}6724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020149Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.909{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3F03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020148Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.893{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3F03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020147Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.893{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3F03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020146Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:35.878{4DB9351A-A1A7-60D3-3E03-00000000CF01}3740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e9c-0\Microsoft.GroupPolicy.Targeting.Interop.dll2021-06-23 21:03:35.862 10341000x800000000000000020145Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.784{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3E03-00000000CF01}3740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020144Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.768{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3E03-00000000CF01}3740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020143Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.768{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3E03-00000000CF01}3740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020142Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.737{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3D03-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020141Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.690{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3D03-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020140Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.690{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3D03-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020139Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:35.675{4DB9351A-A1A7-60D3-3C03-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b10-0\Microsoft.GroupPolicy.ServerAdminTools.Private.GpmgmtpLib.dll2021-06-23 21:03:35.675 23542300x800000000000000020138Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.675{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8911EF9603C302D55E909D07F9082CAC,SHA256=AAC72F2DE5CC7A8097D945554D5A5F05D63F1AA36E1BDBA8CC4B62B9EDA35EB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020137Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.628{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3C03-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020136Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.612{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3C03-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020135Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.612{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3C03-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020134Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.581{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3B03-00000000CF01}4832C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020133Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.581{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3B03-00000000CF01}4832C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020132Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.565{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3B03-00000000CF01}4832C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020131Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.565{4DB9351A-A1A7-60D3-3A03-00000000CF01}6936NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b18-0\Microsoft.GroupPolicy.Commands.dllMD5=F999FA3CE2FFE86E86886C6826A276DD,SHA256=3E89D13E6F0B6AA16CE301B010FFE629D51DD7B0FBECC0DE1A071CD3082EC72E,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000020130Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:35.550{4DB9351A-A1A7-60D3-3A03-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b18-0\Microsoft.GroupPolicy.Commands.dll2021-06-23 21:03:35.550 10341000x800000000000000020129Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.409{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3A03-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020128Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.393{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3A03-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020127Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.393{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3A03-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020126Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.393{4DB9351A-A1A7-60D3-3903-00000000CF01}6996NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b54-0\Microsoft.GroupPolicy.Commands.dllMD5=F999FA3CE2FFE86E86886C6826A276DD,SHA256=3E89D13E6F0B6AA16CE301B010FFE629D51DD7B0FBECC0DE1A071CD3082EC72E,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000020125Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:35.378{4DB9351A-A1A7-60D3-3903-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b54-0\Microsoft.GroupPolicy.Commands.dll2021-06-23 21:03:35.378 10341000x800000000000000020124Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.237{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3903-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020123Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.222{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3903-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020122Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.222{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3903-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020121Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.175{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3803-00000000CF01}6908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020120Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.159{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3803-00000000CF01}6908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020119Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.159{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3803-00000000CF01}6908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020118Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.143{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1E7D8C4494A6F0F58F12E0E4551CE5,SHA256=5CAE42C95B80DB99E428404FAAFE2F9C1368C135DF393E106525E3546401C9E4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020117Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:35.143{4DB9351A-A1A7-60D3-3703-00000000CF01}3936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f60-0\Microsoft.GroupPolicy.ServerAdminTools.GpmgmtLib.dll2021-06-23 21:03:35.143 10341000x800000000000000020116Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.050{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3703-00000000CF01}3936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020115Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.034{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3703-00000000CF01}3936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020114Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.034{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3703-00000000CF01}3936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020113Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.003{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3603-00000000CF01}5708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020112Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.987{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3603-00000000CF01}5708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020111Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.987{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3603-00000000CF01}5708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020174Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.940{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A8-60D3-4603-00000000CF01}4476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020173Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.925{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A8-60D3-4603-00000000CF01}4476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020172Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.925{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A8-60D3-4603-00000000CF01}4476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020171Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.769{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=420B693452761167FB4C143FC9EB1C77,SHA256=80A56FDF7576A037130DED8C4A4CFA19EE29E4396980C8BADCB13828BB9BA45A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020170Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.550{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A8-60D3-4503-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020169Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.534{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1A8-60D3-4503-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020168Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.534{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A8-60D3-4503-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020167Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.425{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A8-60D3-4403-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020166Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.409{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A8-60D3-4403-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020165Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.409{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A8-60D3-4403-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020164Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.347{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A8-60D3-4303-00000000CF01}584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020163Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.331{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1A8-60D3-4303-00000000CF01}584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020162Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.331{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A8-60D3-4303-00000000CF01}584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020161Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:36.315{4DB9351A-A1A8-60D3-4203-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b94-0\Microsoft.ActiveDirectory.TRLParserInterop.dll2021-06-23 21:03:36.315 10341000x800000000000000020160Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.206{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A8-60D3-4203-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020159Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.175{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A8-60D3-4203-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020158Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.175{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A8-60D3-4203-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020157Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.128{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A8-60D3-4103-00000000CF01}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020156Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.128{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E14CD5CFC78D89455F496112E646C23,SHA256=BB8B1F6DBE506E6CF2A3FE564E4137C42DECAE32286A0A0D2A606D9E9B002C35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020155Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.112{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1A8-60D3-4103-00000000CF01}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020154Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.112{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A8-60D3-4103-00000000CF01}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020153Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:36.097{4DB9351A-A1A7-60D3-4003-00000000CF01}6724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a44-0\Microsoft.ActiveDirectory.TRLParser.dll2021-06-23 21:03:36.097 23542300x800000000000000020185Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.940{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38D840185DAAF35E5CCD3573E8913D4A,SHA256=63ABA053485595C88B1DA574E7B7573B946B415B06AE40AD34D0A7059F37C795,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020184Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.628{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A9-60D3-4903-00000000CF01}2612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020183Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.597{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A9-60D3-4903-00000000CF01}2612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020182Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.597{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A9-60D3-4903-00000000CF01}2612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020181Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.300{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A9-60D3-4803-00000000CF01}5464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020180Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.268{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63CE6A59221F518B52543416808F6B8D,SHA256=7CA87F7355386DCF29889534B9956E657A5A5C304B063EA0E3496436AFC83EDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020179Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.253{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A9-60D3-4803-00000000CF01}5464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020178Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.253{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A9-60D3-4803-00000000CF01}5464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020177Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.206{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A9-60D3-4703-00000000CF01}6252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020176Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.190{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A9-60D3-4703-00000000CF01}6252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020175Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.190{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A9-60D3-4703-00000000CF01}6252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020202Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.879{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AA-60D3-4D03-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020201Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.862{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AA-60D3-4D03-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020200Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.862{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AA-60D3-4D03-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020199Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.784{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AA-60D3-4C03-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020198Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.768{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1AA-60D3-4C03-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020197Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.768{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AA-60D3-4C03-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020196Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.706{4DB9351A-A1AA-60D3-4B03-00000000CF01}3780NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ARAU4TET2A\Microsoft.Activities.Build.ni.dll.auxMD5=B6E470B62D8052BD786D531762D68CD3,SHA256=5B37AA355AB4EE027D87CB37BA89E80DCEE95C41E3926E96679ABD822FB0677B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020195Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.706{4DB9351A-A1AA-60D3-4B03-00000000CF01}3780NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ARAU4TET2A\Microsoft.Activities.Build.ni.dllMD5=BD7BD1F4B94D5941F79BFA0D5721181C,SHA256=E66F8444FD8F5AD3F329F97F44E2E95C4181C057CB7C5A0EED0EBB6B6BE66F75,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000020194Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:38.690{4DB9351A-A1AA-60D3-4B03-00000000CF01}3780C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ec4-0\Microsoft.Activities.Build.dll2021-06-23 21:03:38.690 10341000x800000000000000020193Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.581{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AA-60D3-4B03-00000000CF01}3780C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020192Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.550{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AA-60D3-4B03-00000000CF01}3780C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020191Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.550{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AA-60D3-4B03-00000000CF01}3780C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020190Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.253{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AA-60D3-4A03-00000000CF01}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020189Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.237{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AA-60D3-4A03-00000000CF01}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020188Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.237{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AA-60D3-4A03-00000000CF01}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020187Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.206{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0604735443D620686D3B4D713FEFDF9B,SHA256=016756F4FB948649C80F3C6A2C9D1164C2E9B981A82CCC6ACBDCC6A50875EE82,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020186Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.260{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61415-false10.0.1.12-8000- 10341000x800000000000000020214Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.722{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AB-60D3-5003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020213Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.706{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1AB-60D3-5003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020212Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.706{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AB-60D3-5003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020211Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.550{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AB-60D3-4F03-00000000CF01}6968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020210Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.534{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AB-60D3-4F03-00000000CF01}6968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020209Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.534{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AB-60D3-4F03-00000000CF01}6968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020208Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.253{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7ABAF5CABD5746C37F50BDA14F88DAD,SHA256=8230CC99E29C08C09986F358D47D2BC572D1AC9EB3044F012EF3CAD276FEBC08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020207Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.206{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B6191918AA25422CF3F865B1D7248A,SHA256=AFA95D463B33CF6245D3F701B4917B9E6217A378E1E66833A04AB5C501D84887,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020206Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.159{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AB-60D3-4E03-00000000CF01}2440C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020205Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.128{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1AB-60D3-4E03-00000000CF01}2440C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020204Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.128{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AB-60D3-4E03-00000000CF01}2440C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020203Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.081{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020216Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:40.659{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56EABB00BC89659B10F2E8B89F4E6353,SHA256=FC0DC4A4295E17EB2E19EDAEB1C31A6E88F3E20E45AEE88BF70C362C5802AD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020215Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:40.221{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F893C8F285CD37806864A58BFBE3C05D,SHA256=FDD2E112C2DA49D880AF7C071832D4C14F8F2185CCD31600B8F5B4F5AC70A864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020218Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:41.284{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02300F557A0F06B16E8DD5958E02FCFC,SHA256=30DE3812B61EEB6F7788A61E150A3D253E953696871DAA3AA4522CA0FD3D0B70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020217Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.135{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61416-false10.0.1.12-8089- 10341000x800000000000000020226Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.909{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AE-60D3-5203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020225Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.893{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1AE-60D3-5203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020224Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.878{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AE-60D3-5203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020223Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.846{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AE-60D3-5103-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020222Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.831{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AE-60D3-5103-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020221Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.815{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AE-60D3-5103-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020220Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:42.643{4DB9351A-A1AB-60D3-5003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1898-0\Microsoft.Build.dll2021-06-23 21:03:42.643 23542300x800000000000000020219Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.378{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE9274D0A68849DE080A5A273EBD1E6,SHA256=A89EBD812B5C3B5AA38C65F540E78CF2F7BEF314098DAF0C227E3F0182F96CA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020235Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.815{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ED6036A40EABCE5086B9846D75421C2,SHA256=7116A52A3CFCE855B8468952A841036BE9598F6CCA9504A029ECD5B7FB07BE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020234Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.471{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C257FCFD58E76ED66575EB77DCA247F7,SHA256=AA118C05019E1948F3EC25EA6EDDD29018050C3F38E9849CB70DA91ABD802FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020233Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.175{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AF-60D3-5403-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020232Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.159{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AF-60D3-5403-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020231Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.159{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AF-60D3-5403-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020230Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.112{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AF-60D3-5303-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020229Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.096{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AF-60D3-5303-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020228Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.096{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AF-60D3-5303-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020227Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:43.003{4DB9351A-A1AE-60D3-5203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1900-0\Microsoft.Build.Conversion.v4.0.dll2021-06-23 21:03:43.003 10341000x800000000000000020251Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.800{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B0-60D3-5803-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020250Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.784{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B0-60D3-5803-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020249Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.784{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B0-60D3-5803-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020248Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.690{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B0-60D3-5703-00000000CF01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020247Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.659{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B0-60D3-5703-00000000CF01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020246Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.659{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B0-60D3-5703-00000000CF01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020245Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:44.581{4DB9351A-A1B0-60D3-5603-00000000CF01}7004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b5c-0\Microsoft.Build.Framework.dll2021-06-23 21:03:44.581 23542300x800000000000000020244Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.487{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C72D9AD6879411B9FBEB73F114602E8,SHA256=3AE53C1DF4CC988FEF286D1FEF5D0434D277E5C5C0A2FA58184BE61EE8615B50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020243Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.331{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B0-60D3-5603-00000000CF01}7004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020242Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.284{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B0-60D3-5603-00000000CF01}7004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020241Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.284{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B0-60D3-5603-00000000CF01}7004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020240Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.238{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B0-60D3-5503-00000000CF01}4196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020239Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.206{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B0-60D3-5503-00000000CF01}4196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020238Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.206{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B0-60D3-5503-00000000CF01}4196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 354300x800000000000000020237Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.260{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61417-false10.0.1.12-8000- 11241100x800000000000000020236Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:44.018{4DB9351A-A1AF-60D3-5403-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19fc-0\Microsoft.Build.Engine.dll2021-06-23 21:03:44.018 23542300x800000000000000020253Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:45.487{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B114377E7E5F48116D2D4885CD863A,SHA256=C12BB306CB87D47607774032F289710BDE4B9DD0DDE5907B199B571427C09981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020252Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:45.206{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE731583B4D12B527619E173FDBE597A,SHA256=EA0CC829413CE66BA2195FFA7D3949777406BFC3EB638E696019DA44A0241F75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020261Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.972{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B2-60D3-5A03-00000000CF01}2488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020260Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.956{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1B2-60D3-5A03-00000000CF01}2488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020259Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.956{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B2-60D3-5A03-00000000CF01}2488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020258Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.893{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B2-60D3-5903-00000000CF01}7092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020257Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.862{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B2-60D3-5903-00000000CF01}7092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020256Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.862{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B2-60D3-5903-00000000CF01}7092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020255Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:46.690{4DB9351A-A1B0-60D3-5803-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\195c-0\Microsoft.Build.Tasks.v4.0.dll2021-06-23 21:03:46.690 23542300x800000000000000020254Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.503{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215A2EDE2C788C3E86882235CED8DF64,SHA256=D071A4BE89EF90C7CFE2D8DAAAE62C0E2721EFB35DFD899C9C320E8BFFDBEB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020277Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.940{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA7EFDBAAA39ED2A65F6B1FB5B460ABA,SHA256=BE0918CF321427C7ECD37051F2201167690B3579020F051365098EB72C5B2857,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020276Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.800{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B3-60D3-5E03-00000000CF01}6496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020275Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.784{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B3-60D3-5E03-00000000CF01}6496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020274Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.784{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B3-60D3-5E03-00000000CF01}6496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020273Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.721{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B3-60D3-5D03-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020272Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.706{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B3-60D3-5D03-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020271Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.706{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B3-60D3-5D03-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020270Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:47.690{4DB9351A-A1B3-60D3-5C03-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1320-0\Microsoft.CertificateServices.Deployment.Common.dll2021-06-23 21:03:47.690 10341000x800000000000000020269Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.612{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B3-60D3-5C03-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020268Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.596{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B3-60D3-5C03-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020267Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.596{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B3-60D3-5C03-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020266Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.503{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EB0E5FC62812AFAE2C52330577968D,SHA256=30F444C87AE5F6B98834B90CECC960657169B0A25A857630D63AF7D877B752F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020265Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.487{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B3-60D3-5B03-00000000CF01}2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020264Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.456{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B3-60D3-5B03-00000000CF01}2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020263Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.456{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B3-60D3-5B03-00000000CF01}2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020262Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:47.362{4DB9351A-A1B2-60D3-5A03-00000000CF01}2488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\9b8-0\Microsoft.Build.Utilities.v4.0.dll2021-06-23 21:03:47.362 23542300x800000000000000020285Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.550{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F5589798009C2CBF3247076230D170,SHA256=EC764E36F27ABE993192951B0AF3B23BE8E92B070DCF3E5FCC06D74312A31320,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020284Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.487{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B4-60D3-6003-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020283Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.471{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1B4-60D3-6003-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020282Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.471{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B4-60D3-6003-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020281Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.049{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B4-60D3-5F03-00000000CF01}4848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020280Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.034{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B4-60D3-5F03-00000000CF01}4848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020279Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.034{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B4-60D3-5F03-00000000CF01}4848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020278Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:48.003{4DB9351A-A1B3-60D3-5E03-00000000CF01}6496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1960-0\Microsoft.CertificateServices.PKIClient.Cmdlets.dll2021-06-23 21:03:48.003 23542300x800000000000000020312Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.581{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8A9D003A75DF4A577CA533E4F5C71E,SHA256=CB67372296DFEA9C744943F65E8F342B422A1D1F388A370F41F0766E9C38C785,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000020311Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000020310Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000f1c78) 13241300x800000000000000020309Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7686a-0xe17f73ce) 13241300x800000000000000020308Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76873-0x4343dbce) 13241300x800000000000000020307Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7687b-0xa50843ce) 13241300x800000000000000020306Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000020305Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000f1c78) 13241300x800000000000000020304Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7686a-0xe17f73ce) 13241300x800000000000000020303Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76873-0x4343dbce) 13241300x800000000000000020302Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7687b-0xa50843ce) 10341000x800000000000000020301Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.378{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B5-60D3-6403-00000000CF01}5356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020300Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.362{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B5-60D3-6403-00000000CF01}5356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020299Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.362{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B5-60D3-6403-00000000CF01}5356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020298Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.299{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B5-60D3-6303-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020297Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.284{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B5-60D3-6303-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020296Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.268{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B5-60D3-6303-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020295Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:49.253{4DB9351A-A1B5-60D3-6203-00000000CF01}2536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\9e8-0\Microsoft.CertificateServices.Setup.Interop.dll2021-06-23 21:03:49.253 354300x800000000000000020294Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.214{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61418-false10.0.1.12-8000- 10341000x800000000000000020293Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.206{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B5-60D3-6203-00000000CF01}2536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020292Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.190{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B5-60D3-6203-00000000CF01}2536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020291Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.190{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B5-60D3-6203-00000000CF01}2536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020290Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.159{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B5-60D3-6103-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020289Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.128{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1B5-60D3-6103-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020288Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.128{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B5-60D3-6103-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020287Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.081{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B712825D2001DD6F47E967240B4A0FE2,SHA256=83F1161116489C404A992C7CE463D650638A9467A42D1A0940507E9F2C41AA4B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020286Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:49.065{4DB9351A-A1B4-60D3-6003-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ad0-0\Microsoft.CertificateServices.ServerManager.DeploymentPlugIn.dll2021-06-23 21:03:49.065 10341000x800000000000000020328Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.909{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B6-60D3-6803-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020327Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.893{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B6-60D3-6803-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020326Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.893{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B6-60D3-6803-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020325Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.799{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B6-60D3-6703-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020324Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.784{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B6-60D3-6703-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020323Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.784{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B6-60D3-6703-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020322Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:50.753{4DB9351A-A1B6-60D3-6603-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b70-0\Microsoft.Dtc.PowerShell.dll2021-06-23 21:03:50.753 10341000x800000000000000020321Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.643{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B6-60D3-6603-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020320Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.628{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B6-60D3-6603-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020319Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.628{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B6-60D3-6603-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020318Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.612{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352F9E3BC9779E1D8180C8085DB4FAC4,SHA256=9E70F3384C5B46C81769C1738906B3D55B49038B095E83FA7A507294092EA660,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020317Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.565{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B6-60D3-6503-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020316Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.549{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B6-60D3-6503-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020315Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.549{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B6-60D3-6503-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020314Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:50.440{4DB9351A-A1B5-60D3-6403-00000000CF01}5356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14ec-0\Microsoft.CSharp.dll2021-06-23 21:03:50.440 23542300x800000000000000020313Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.128{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12BAC85BBF1B703618EFAE34DCBE099A,SHA256=2242B7BB55094E273AD46138B48BB61F8D1079EEC1E3BAAC08DE3B9865AAF9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020344Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.956{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150F7C9BDF06474D4502A219561D7AD6,SHA256=D9C013C8FC6CCB1EDB38568E464182DB790C5D4F73E3C3BC365E537D83BDFBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020343Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.581{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9DF4C9A8EE07D5A7FC53D0E93860A6B,SHA256=27D9F1B215D225D92309E727ED0DA738C1C703CF662216D4B26C181E62E55A1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020342Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.581{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B7-60D3-6C03-00000000CF01}2928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020341Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.565{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B7-60D3-6C03-00000000CF01}2928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020340Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.565{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B7-60D3-6C03-00000000CF01}2928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020339Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.440{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B7-60D3-6B03-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020338Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.424{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1B7-60D3-6B03-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020337Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.424{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B7-60D3-6B03-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020336Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:51.393{4DB9351A-A1B7-60D3-6A03-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11d4-0\Microsoft.GroupPolicy.Interop.dll2021-06-23 21:03:51.393 10341000x800000000000000020335Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.284{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B7-60D3-6A03-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020334Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.268{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B7-60D3-6A03-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020333Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.268{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B7-60D3-6A03-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020332Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.159{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B7-60D3-6903-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020331Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.143{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B7-60D3-6903-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020330Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.143{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B7-60D3-6903-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020329Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:51.112{4DB9351A-A1B6-60D3-6803-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bb8-0\Microsoft.GroupPolicy.AdmTmplEditor.dll2021-06-23 21:03:51.112 23542300x800000000000000020345Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:52.971{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADD10C15F39128D215FF53CB4E14F75,SHA256=BEFD067C23EE3648D7465B1681847089235FA835A03C7C187DBB96C61AED853A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020369Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1B9-60D3-7003-00000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020368Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020367Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020366Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020365Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020364Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B9-60D3-7003-00000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020363Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1B9-60D3-7003-00000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020362Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.972{4DB9351A-A1B9-60D3-7003-00000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020361Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.538{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAD46F4AB092C262B72CE6B37D349A65,SHA256=21795E17BFE8B5556DE6914314DEF18B71CB15A6196FE2CCA5E5074AEDC6D844,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020360Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.487{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B9-60D3-6F03-00000000CF01}4376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020359Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.471{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B9-60D3-6F03-00000000CF01}4376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020358Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.471{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B9-60D3-6F03-00000000CF01}4376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020357Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.362{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B9-60D3-6E03-00000000CF01}6396C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020356Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.331{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1B9-60D3-6E03-00000000CF01}6396C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020355Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.331{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B9-60D3-6E03-00000000CF01}6396C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020354Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:53.159{4DB9351A-A1B7-60D3-6C03-00000000CF01}2928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b70-0\Microsoft.GroupPolicy.Reporting.dll2021-06-23 21:03:53.159 10341000x800000000000000020353Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.096{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1B9-60D3-6D03-00000000CF01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020352Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020351Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020350Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020349Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020348Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B9-60D3-6D03-00000000CF01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020347Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1B9-60D3-6D03-00000000CF01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020346Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-A1B9-60D3-6D03-00000000CF01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020396Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.991{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0FEA12BA39AB3554EAEE86E0D73D381,SHA256=5C0042799660EBBD1A887C1745C9EDE4B53882E41E6FE2932607BB7390701175,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020395Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1BA-60D3-7503-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020394Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BA-60D3-7503-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020393Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020392Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020391Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020390Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020389Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1BA-60D3-7503-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020388Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-A1BA-60D3-7503-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000020387Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:52.573{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61419-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000020386Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:52.572{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61419-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 10341000x800000000000000020385Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.612{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BA-60D3-7403-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020384Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.596{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1BA-60D3-7403-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020383Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.596{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BA-60D3-7403-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020382Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.549{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BA-60D3-7303-00000000CF01}5688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020381Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.518{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BA-60D3-7303-00000000CF01}5688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020380Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.518{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BA-60D3-7303-00000000CF01}5688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020379Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:54.503{4DB9351A-A1BA-60D3-7203-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11e8-0\Microsoft.InternationalSettings.Commands.dll2021-06-23 21:03:54.503 10341000x800000000000000020378Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.440{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BA-60D3-7203-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020377Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.424{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1BA-60D3-7203-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020376Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.424{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BA-60D3-7203-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020375Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.362{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BA-60D3-7103-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020374Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.346{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1BA-60D3-7103-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020373Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.346{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BA-60D3-7103-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020372Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:54.268{4DB9351A-A1B9-60D3-6F03-00000000CF01}4376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1118-0\Microsoft.Internal.Tasks.Dataflow.dll2021-06-23 21:03:54.268 10341000x800000000000000020371Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.159{4DB9351A-A1B9-60D3-7003-00000000CF01}59364952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020370Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.003{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F3965AAD0D45954FA174725C29A727,SHA256=FA58ADA2CF26BD826F2A5CD389F126DDAAEF19B7005C7DA75F294ABE10E07A99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020418Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.973{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BB-60D3-7903-00000000CF01}5720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020417Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.958{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1BB-60D3-7903-00000000CF01}5720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020416Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.958{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BB-60D3-7903-00000000CF01}5720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020415Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:55.895{4DB9351A-A1BB-60D3-7703-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1278-0\Microsoft.Isam.Esent.Interop.Wsa.dll2021-06-23 21:03:55.895 10341000x800000000000000020414Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.864{4DB9351A-A1BB-60D3-7803-00000000CF01}65007104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000020413Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.166{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61420-false10.0.1.12-8000- 10341000x800000000000000020412Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1BB-60D3-7803-00000000CF01}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020411Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020410Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020409Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020408Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020407Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BB-60D3-7803-00000000CF01}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020406Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1BB-60D3-7803-00000000CF01}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020405Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-A1BB-60D3-7803-00000000CF01}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020404Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.319{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BB-60D3-7703-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020403Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.304{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BB-60D3-7703-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020402Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.304{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BB-60D3-7703-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020401Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.226{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D502FB1E80F9A1F23E67522CD91926,SHA256=2D59815D67DA51794946536F0CA4C7DA507F0A1EF22CF0804640013C3D006BB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020400Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.210{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BB-60D3-7603-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020399Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.194{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1BB-60D3-7603-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020398Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.194{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BB-60D3-7603-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020397Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:55.147{4DB9351A-A1BA-60D3-7403-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\17e8-0\Microsoft.Isam.Esent.Interop.dll2021-06-23 21:03:55.147 10341000x800000000000000020434Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.961{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BC-60D3-7D03-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020433Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.914{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1BC-60D3-7D03-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020432Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.914{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BC-60D3-7D03-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020431Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:56.883{4DB9351A-A1BC-60D3-7C03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\cd8-0\Microsoft.KeyDistributionService.Cmdlets.dll2021-06-23 21:03:56.883 10341000x800000000000000020430Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.774{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BC-60D3-7C03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020429Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.680{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BC-60D3-7C03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020428Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.680{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BC-60D3-7C03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020427Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.598{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BC-60D3-7B03-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020426Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.567{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1BC-60D3-7B03-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020425Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.567{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BC-60D3-7B03-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020424Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:56.489{4DB9351A-A1BC-60D3-7A03-00000000CF01}1268C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f4-0\Microsoft.Iscsi.Target.Commands.dll2021-06-23 21:03:56.489 23542300x800000000000000020423Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.364{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F886E28DCE2F3D1C43E9FBD51D963804,SHA256=8F422DDF7BB2E4506DA97A51ED0EB73A0DFEE34F7ED679B6AAEC27251163605A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020422Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.176{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE19F8A6E399F134A994FEDEC3CCE1A8,SHA256=64B702C7B9C0874370956A3030F318F6AC69BBD805383050591D872DC9A50673,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020421Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.051{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BC-60D3-7A03-00000000CF01}1268C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020420Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.020{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1BC-60D3-7A03-00000000CF01}1268C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020419Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.020{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BC-60D3-7A03-00000000CF01}1268C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020463Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1BD-60D3-8203-00000000CF01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020462Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020461Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020460Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020459Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020458Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1BD-60D3-8203-00000000CF01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020457Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1BD-60D3-8203-00000000CF01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020456Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.993{4DB9351A-A1BD-60D3-8203-00000000CF01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020455Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.852{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BD-60D3-8103-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020454Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.836{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BD-60D3-8103-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020453Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.836{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BD-60D3-8103-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020452Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.742{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BD-60D3-8003-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020451Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.727{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BD-60D3-8003-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020450Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.727{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BD-60D3-8003-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020449Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:57.695{4DB9351A-A1BD-60D3-7E03-00000000CF01}4412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\113c-0\Microsoft.Management.Infrastructure.dll2021-06-23 21:03:57.695 23542300x800000000000000020448Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.571{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7ACB79F80420E715207BF83B719A9E4,SHA256=9CCE1BF1FEBE4D03766FF63628A877612B263CAE3E45D75E449DC034ADB4CBDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020447Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.242{4DB9351A-A1BD-60D3-7F03-00000000CF01}10406920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020446Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.211{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB6CB01002033BE232A86288DA2BEC1,SHA256=D164412D73DD208F9BDED997DBEAFDB600D3C6AF108289807725E9D7DA80F296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020445Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.149{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BD-60D3-7E03-00000000CF01}4412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020444Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1BD-60D3-7F03-00000000CF01}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020443Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020442Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020441Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BD-60D3-7F03-00000000CF01}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020440Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020439Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020438Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1BD-60D3-7F03-00000000CF01}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020437Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.073{4DB9351A-A1BD-60D3-7F03-00000000CF01}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020436Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.039{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1BD-60D3-7E03-00000000CF01}4412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020435Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.039{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BD-60D3-7E03-00000000CF01}4412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020480Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.743{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BE-60D3-8603-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020479Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.743{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B95B92EED12CAC83A673EFBA37E43C69,SHA256=BE274109E99A30DD4EFAD3317666AA3A4E52C8403424B59508DF4E4D02CF396E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020478Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.727{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1BE-60D3-8603-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020477Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.727{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BE-60D3-8603-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020476Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.555{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BE-60D3-8503-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020475Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.539{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BE-60D3-8503-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020474Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.539{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BE-60D3-8503-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020473Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:58.508{4DB9351A-A1BE-60D3-8403-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19b8-0\Microsoft.Management.Infrastructure.Native.dll2021-06-23 21:03:58.508 23542300x800000000000000020472Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.305{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CECEFE6068756AB30E061185C2AB6F0,SHA256=71282E5C9CD8259E7B308F99343A03DBC7B3A4A1F89957227CFCE9C1A90DE64D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020471Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.289{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BE-60D3-8403-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020470Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.274{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BE-60D3-8403-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020469Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.274{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BE-60D3-8403-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020468Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.180{4DB9351A-A1BD-60D3-8203-00000000CF01}54202096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020467Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.133{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BE-60D3-8303-00000000CF01}1324C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020466Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.117{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1BE-60D3-8303-00000000CF01}1324C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020465Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.117{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BE-60D3-8303-00000000CF01}1324C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020464Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:58.070{4DB9351A-A1BD-60D3-8103-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8b4-0\Microsoft.Management.Infrastructure.CimCmdlets.dll2021-06-23 21:03:58.070 10341000x800000000000000020489Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1BF-60D3-8703-00000000CF01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020488Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020487Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020486Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020485Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BF-60D3-8703-00000000CF01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020484Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020483Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1BF-60D3-8703-00000000CF01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020482Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.696{4DB9351A-A1BF-60D3-8703-00000000CF01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020481Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.305{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DC98C5EC4D1F38794CB1818AD35DB0,SHA256=972F4448938784B6F0C317BD965A2EBEADCDCB249CBE58149E7573EC400B2BDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020508Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.961{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C0-60D3-8C03-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020507Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.961{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C0-60D3-8C03-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020506Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:00.945{4DB9351A-A1C0-60D3-8B03-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b88-0\Microsoft.NetworkController.SDNDiagnosticsTask.dll2021-06-23 21:04:00.945 10341000x800000000000000020505Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.852{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C0-60D3-8B03-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020504Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.820{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1C0-60D3-8B03-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020503Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.820{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C0-60D3-8B03-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020502Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.774{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FF7E92E4733BAA7C88076A4BCFAF2F6,SHA256=B89E791431466300B12A94845FB894EFF700361C0DE52EEC8CAFFC173A46D491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020501Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.711{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C0-60D3-8A03-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020500Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.695{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1C0-60D3-8A03-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020499Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.695{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C0-60D3-8A03-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020498Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:00.649{4DB9351A-A1C0-60D3-8903-00000000CF01}5340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14dc-0\Microsoft.ManagementConsole.dll2021-06-23 21:04:00.649 10341000x800000000000000020497Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.367{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C0-60D3-8903-00000000CF01}5340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020496Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.352{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C0-60D3-8903-00000000CF01}5340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020495Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.352{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C0-60D3-8903-00000000CF01}5340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020494Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.305{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76777A0F3106F3F654D90DC0433253D,SHA256=1E3151D9A1B48D0C00D57E586B7BAC6006A844AEACBD5442D9A180EF830CFC55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020493Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.180{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C0-60D3-8803-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020492Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.164{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C0-60D3-8803-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020491Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.149{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C0-60D3-8803-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020490Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:00.039{4DB9351A-A1BE-60D3-8603-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13b8-0\Microsoft.Management.UI.dll2021-06-23 21:04:00.039 23542300x800000000000000020514Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:01.852{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64B9A2E1FA312A80E836A7873E55C011,SHA256=EEBB136104542BC1231207A2D4839A47011C0E9A026EA6000F510AA2AD70BBC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020513Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:01.336{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C1-60D3-8D03-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020512Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:01.320{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1C1-60D3-8D03-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020511Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:01.320{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C1-60D3-8D03-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020510Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:01.320{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C6D8ECCE6779070A63E6624F356957,SHA256=A7E1B288E451DF966BF1DD7836D9B18C19D30A0F063C597583A2A8EB917668AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020509Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:01.008{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C0-60D3-8C03-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020527Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.945{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C2-60D3-9003-00000000CF01}3020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020526Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.914{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C2-60D3-9003-00000000CF01}3020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020525Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.914{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C2-60D3-9003-00000000CF01}3020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020524Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:02.883{4DB9351A-A1C2-60D3-8F03-00000000CF01}6452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1934-0\Microsoft.PowerShell.Cmdletization.OData.dll2021-06-23 21:04:02.883 10341000x800000000000000020523Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.742{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C2-60D3-8F03-00000000CF01}6452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020522Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.711{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C2-60D3-8F03-00000000CF01}6452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020521Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.711{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C2-60D3-8F03-00000000CF01}6452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020520Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.539{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C2-60D3-8E03-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020519Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.524{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C2-60D3-8E03-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020518Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.524{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C2-60D3-8E03-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020517Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:02.445{4DB9351A-A1C1-60D3-8D03-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1920-0\Microsoft.PowerShell.Activities.dll2021-06-23 21:04:02.445 23542300x800000000000000020516Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.352{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BB5E8A8D18A3CBD185BC766A9428FA,SHA256=BE96E1E8316A3F0E629894C99166D4B95DAD4035E49121E382D08B1CD6EACA8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020515Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.143{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61421-false10.0.1.12-8000- 10341000x800000000000000020536Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.727{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C3-60D3-9203-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020535Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.711{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C3-60D3-9203-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020534Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.711{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C3-60D3-9203-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020533Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:03.664{4DB9351A-A1C3-60D3-9103-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\df8-0\Microsoft.PowerShell.Commands.Diagnostics.dll2021-06-23 21:04:03.664 23542300x800000000000000020532Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.649{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F27C777EF68831C0E4626862DAB5F99,SHA256=7323F955A842FC4389161B983F16E286CA73AA140D3DDDEED81D98ABABC82933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020531Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.508{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4ABC9E3274259C34BAD53B35A6A350,SHA256=929E9E5C23F6519645EBE2A31D0E4A7626185FDBF8898ABC3987FB3EE62F26E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020530Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.149{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C3-60D3-9103-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020529Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.117{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C3-60D3-9103-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020528Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.117{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C3-60D3-9103-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020544Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.977{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1C4-60D3-9403-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020543Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.977{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C4-60D3-9403-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020542Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:04.914{4DB9351A-A1C4-60D3-9303-00000000CF01}5972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1754-0\Microsoft.PowerShell.Commands.Management.dll2021-06-23 21:04:04.914 23542300x800000000000000020541Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.758{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37BA5319F8AC08D0576C72068BC29BFA,SHA256=AD5F4E61A9814DE4BC30CC3DD32820EEB0E50821D2DDF2963DB6135BBC5CC605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020540Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.523{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0020AEBDD67A2D48F67559590C75044,SHA256=425C285467716266E7B4AC3A29F91D8D00118DF742CF70D8EDB5E703CA02B639,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020539Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C4-60D3-9303-00000000CF01}5972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020538Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.055{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C4-60D3-9303-00000000CF01}5972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020537Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.055{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C4-60D3-9303-00000000CF01}5972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020549Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:05.664{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F6DD525E6DC9307B3C58AFFED20207,SHA256=591F3582EC22E57C7F350AB2CA74FA75C822D92151EFC9A5E030A940B824C56F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020548Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:05.352{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C5-60D3-9503-00000000CF01}6356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020547Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:05.336{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1C5-60D3-9503-00000000CF01}6356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020546Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:05.336{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C5-60D3-9503-00000000CF01}6356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020545Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:05.009{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C4-60D3-9403-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020551Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:06.680{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32778615D79B784AF8FBFEA9A931DDD4,SHA256=8FDA219DAF79DCA0719FDF225253A4BCBEDE244FA269B6BE764895494BFE7684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020550Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:06.023{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDDF1C027C08D2990A27614D128B6A21,SHA256=85226B6FEB19A990C1A5026E2B04AD1AE0E3C2C3BDC0B332A095F24A057D862A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020553Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:07.695{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C84C54F30F1E4F02D8DE34974E1C8D,SHA256=6C06AD80B16C2C54E1A0CF96FEB8F85EF71BC07015764886048695D89E58AE93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020552Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:06.140{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61422-false10.0.1.12-8000- 10341000x800000000000000020587Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.961{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1C8-60D3-9703-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020586Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.961{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C8-60D3-9703-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020585Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020584Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020583Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020582Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020581Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020580Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020579Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020578Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020577Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020576Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020575Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020574Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020573Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020572Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020571Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020570Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020569Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020568Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020567Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020566Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020565Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020564Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020563Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020562Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020561Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020560Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020559Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020558Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.836{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C8-60D3-9603-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020557Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.805{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1C8-60D3-9603-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020556Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.805{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C8-60D3-9603-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020555Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.695{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161908922E0175A92A1DD7B9F5396FF1,SHA256=3378628E4DE2E4D3B98351FB8EFE4192A3BC3EE547CBF70E04846D02E0455CE2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020554Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:08.508{4DB9351A-A1C5-60D3-9503-00000000CF01}6356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18d4-0\Microsoft.PowerShell.Commands.Utility.dll2021-06-23 21:04:08.508 10341000x800000000000000020595Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:09.477{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C9-60D3-9903-00000000CF01}1420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020594Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:09.461{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1C9-60D3-9903-00000000CF01}1420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020593Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:09.461{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C9-60D3-9903-00000000CF01}1420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020592Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:09.398{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C9-60D3-9803-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020591Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:09.383{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C9-60D3-9803-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020590Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:09.383{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C9-60D3-9803-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020589Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:09.352{4DB9351A-A1C8-60D3-9703-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1be4-0\Microsoft.PowerShell.ConsoleHost.dll2021-06-23 21:04:09.352 10341000x800000000000000020588Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.992{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C8-60D3-9703-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020608Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.993{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1CA-60D3-9C03-00000000CF01}1176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020607Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.978{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1CA-60D3-9C03-00000000CF01}1176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020606Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.978{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1CA-60D3-9C03-00000000CF01}1176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020605Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:10.947{4DB9351A-A1CA-60D3-9B03-00000000CF01}6416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1910-0\Microsoft.PowerShell.Diagnostics.Activities.dll2021-06-23 21:04:10.947 10341000x800000000000000020604Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.618{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1CA-60D3-9B03-00000000CF01}6416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020603Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.603{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1CA-60D3-9B03-00000000CF01}6416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020602Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.603{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1CA-60D3-9B03-00000000CF01}6416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020601Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.509{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1CA-60D3-9A03-00000000CF01}5676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020600Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.494{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1CA-60D3-9A03-00000000CF01}5676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020599Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.494{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1CA-60D3-9A03-00000000CF01}5676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020598Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:10.400{4DB9351A-A1C9-60D3-9903-00000000CF01}1420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\58c-0\Microsoft.PowerShell.Core.Activities.dll2021-06-23 21:04:10.400 23542300x800000000000000020597Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.103{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B954473A399CFB4839A69BD200B3DE5A,SHA256=60329765E284E67653D5C637146BD54B2847AE1ECD1D69EDD0BDA39FB05344A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020596Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.103{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C2BB34D7E0E0202F0E0C7ED2193F1BB,SHA256=5FCC7A1B7A62D5AE447382893700B3863688719420B255FBB93125E08F0C2758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020613Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:11.587{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44B24A7743EB9EFAE2B2F78656D4F4B0,SHA256=559001F925D1790EF6BB1F4AE9A85EE9D5FF4AF3CCABDC41A7AC57DCF07A5F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020612Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:11.228{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EBA6FED47CD5F96A9C23A409C91676F,SHA256=FD0C3684010D955034681F0F750D316A53C4DAC010A3ED6C765DEF9D585AB920,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020611Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:11.165{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1CB-60D3-9D03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020610Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:11.150{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1CB-60D3-9D03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020609Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:11.150{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1CB-60D3-9D03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000020615Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:11.298{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61423-false10.0.1.12-8000- 23542300x800000000000000020614Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:12.275{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656443E02DF4F60953E7C8E52C38A6B2,SHA256=886B30EF5F08BC64394E5248574219119320A8A3C0E38AFF792463C90275DA67,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000020617Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:04:13.947{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76873-0x52260f3d) 23542300x800000000000000020616Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:13.431{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E9AF748C6337000238925FDF0CDA71,SHA256=849A3498ED81A642086DF31FF0B92E19358129DA64CDCF7112EA8838F5C36BBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020622Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:14.853{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1CE-60D3-9E03-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020621Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:14.837{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1CE-60D3-9E03-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020620Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:14.837{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1CE-60D3-9E03-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020619Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:14.618{4DB9351A-A1CB-60D3-9D03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18e4-0\Microsoft.PowerShell.Editor.dll2021-06-23 21:04:14.618 23542300x800000000000000020618Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:14.447{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6956B88020A83BC67BF53A4FFF6E9F7,SHA256=8771140858BFA54A46F72879958B5A85E1467EC1AAFC60102A0848FAD1499F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020627Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:15.853{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE1448E79DD02AAFB8D7B85EDDD48EED,SHA256=BA7891394FCB3502D3F1472449D58B709C508A317C4FA02C13376CD0BDA10917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020626Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:15.447{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0404B871836C603B5B884269E48F4FC7,SHA256=1F18F3B377F911650D3BF0F33D1ED7E04BDD39CE1A67D15F157500B077B65416,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020625Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:15.118{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1CF-60D3-9F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020624Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:15.103{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1CF-60D3-9F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020623Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:15.103{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1CF-60D3-9F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020635Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.775{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D0-60D3-A103-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020634Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.759{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1D0-60D3-A103-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020633Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.759{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D0-60D3-A103-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020632Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.572{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D0-60D3-A003-00000000CF01}7072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020631Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.556{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D0-60D3-A003-00000000CF01}7072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020630Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.556{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D0-60D3-A003-00000000CF01}7072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020629Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:16.447{4DB9351A-A1CF-60D3-9F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1980-0\Microsoft.PowerShell.GPowerShell.dll2021-06-23 21:04:16.447 23542300x800000000000000020628Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.447{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54E140FED223610D1789ACF6527025F,SHA256=AF3FC75BBEE73DF02B0B5DF9C24EB538FCB0DE66056645715A76A12DFA453975,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020651Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.837{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D1-60D3-A503-00000000CF01}2096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020650Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.822{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D1-60D3-A503-00000000CF01}2096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020649Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.822{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D1-60D3-A503-00000000CF01}2096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020648Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.759{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D1-60D3-A403-00000000CF01}2036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020647Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.743{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1D1-60D3-A403-00000000CF01}2036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020646Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.743{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D1-60D3-A403-00000000CF01}2036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020645Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:17.712{4DB9351A-A1D1-60D3-A303-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19dc-0\Microsoft.PowerShell.ISECommon.dll2021-06-23 21:04:17.712 10341000x800000000000000020644Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.665{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D1-60D3-A303-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020643Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.650{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D1-60D3-A303-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020642Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.650{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D1-60D3-A303-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020641Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.603{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D1-60D3-A203-00000000CF01}4776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020640Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.587{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1D1-60D3-A203-00000000CF01}4776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020639Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.587{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D1-60D3-A203-00000000CF01}4776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020638Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.587{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B395FDABCFF5A72185FA7569A18058D,SHA256=2CAFAEFA5408946E10E08922090DD498E59560BCD4C296B21194554190753149,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020637Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:17.540{4DB9351A-A1D0-60D3-A103-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ac4-0\Microsoft.PowerShell.GraphicalHost.dll2021-06-23 21:04:17.540 23542300x800000000000000020636Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.462{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA43E899C6A73BB85DEC1469A3A9486A,SHA256=4C4FD4BC1A017FFD8EF09D088C872F25F7CBE48D6DCE3EAB5981A4D884D24612,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020659Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.978{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D2-60D3-A703-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020658Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.978{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D2-60D3-A703-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020657Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.837{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D2-60D3-A603-00000000CF01}6912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020656Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.822{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D2-60D3-A603-00000000CF01}6912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020655Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.822{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D2-60D3-A603-00000000CF01}6912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020654Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:18.759{4DB9351A-A1D1-60D3-A503-00000000CF01}2096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\830-0\Microsoft.PowerShell.Management.Activities.dll2021-06-23 21:04:18.759 23542300x800000000000000020653Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.603{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=784B7E4E5CF56388CDB1FFA14575BBC8,SHA256=3107B116FB8CA831F55D7A0422668231C9BFCF4B0AAE16B62F59C1C456F5848D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020652Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.478{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D3F62B6617F8A82733013EC2D8EA70,SHA256=21F2C8B7C44AA00CCB29690E22BD17ED0282AE3266C7525A64DA70EA2AA1957B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020677Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.837{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D8CBC766A98E792C1ADB900074502BA,SHA256=614C014FB9648E90ABEF06C9C0B9DAA4E3E5CA5BA8CB4BF76D029FE37D43BE31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020676Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.775{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D3-60D3-AB03-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020675Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.759{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D3-60D3-AB03-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020674Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.759{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D3-60D3-AB03-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020673Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.696{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D3-60D3-AA03-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020672Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.681{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D3-60D3-AA03-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020671Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.681{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D3-60D3-AA03-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020670Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:19.650{4DB9351A-A1D3-60D3-A903-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a3c-0\Microsoft.PowerShell.Security.dll2021-06-23 21:04:19.650 23542300x800000000000000020669Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.478{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B53BB20BE6013E35F08160BAF55293,SHA256=E14051FF9CB1B363BEF9B6640C0B31371215D2F942CD09758B9565D0CB140E8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020668Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.462{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D3-60D3-A903-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020667Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.446{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D3-60D3-A903-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020666Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.446{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D3-60D3-A903-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020665Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.400{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D3-60D3-A803-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020664Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.384{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D3-60D3-A803-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020663Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.384{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D3-60D3-A803-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020662Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:19.353{4DB9351A-A1D2-60D3-A703-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19b8-0\Microsoft.PowerShell.ScheduledJob.dll2021-06-23 21:04:19.353 354300x800000000000000020661Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.220{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61424-false10.0.1.12-8000- 10341000x800000000000000020660Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.995{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D2-60D3-A703-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020685Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.509{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7BE54D8C2E5683825761A53313CCCF,SHA256=75FB7042DA5042EF060F392A719C079B377984AF481C55E7330DDCC815063514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020684Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.118{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D4-60D3-AD03-00000000CF01}6300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020683Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.103{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D4-60D3-AD03-00000000CF01}6300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020682Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.103{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D4-60D3-AD03-00000000CF01}6300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020681Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.056{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D4-60D3-AC03-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020680Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.040{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D4-60D3-AC03-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020679Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.040{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D4-60D3-AC03-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020678Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:20.009{4DB9351A-A1D3-60D3-AB03-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1af0-0\Microsoft.PowerShell.Security.Activities.dll2021-06-23 21:04:20.009 23542300x800000000000000020694Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.525{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51398E40DC09966F733A2A686BEB107D,SHA256=8553B0A8A56DC0940C86487EF8036C4E5AE78B5939B9FB9CD9AF8857FD148F56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020693Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.228{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D5-60D3-AF03-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020692Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.212{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D5-60D3-AF03-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020691Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.212{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D5-60D3-AF03-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020690Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.150{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D5-60D3-AE03-00000000CF01}6980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020689Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.134{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D5-60D3-AE03-00000000CF01}6980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020688Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.134{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D5-60D3-AE03-00000000CF01}6980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020687Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:21.087{4DB9351A-A1D4-60D3-AD03-00000000CF01}6300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\189c-0\Microsoft.PowerShell.Utility.Activities.dll2021-06-23 21:04:21.087 23542300x800000000000000020686Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.056{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=506D8C007B724F73E678E0DD848F0CEC,SHA256=D598B04F28150F93704916CA2A3130E36BA62F02112BE1EFD8B14A414A15CE1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020703Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.634{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D6-60D3-B103-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020702Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.618{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D6-60D3-B103-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020701Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.618{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D6-60D3-B103-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020700Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.540{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475290C51326D3F5B504468A6AABEB4F,SHA256=F653B1F64CB92E96FB53A0FC4B4AF691599EC2DE4C02008FCE54CF60CA00C701,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020699Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.415{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D6-60D3-B003-00000000CF01}3016C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020698Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.368{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D6-60D3-B003-00000000CF01}3016C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020697Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.368{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D6-60D3-B003-00000000CF01}3016C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020696Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:22.275{4DB9351A-A1D5-60D3-AF03-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14f4-0\Microsoft.PowerShell.Workflow.ServiceCore.dll2021-06-23 21:04:22.275 23542300x800000000000000020695Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.181{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3624D922FBD17E53E588BE1A02E01CE3,SHA256=7E3F2BD287210A1C1FD6CB5825FFBD6848B4D821B3A3D170677F9C698169875F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020732Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.978{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B903-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020731Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.978{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B903-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020730Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.946{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B803-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020729Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.915{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B803-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020728Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.915{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B803-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020727Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:23.900{4DB9351A-A1D7-60D3-B703-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\12b0-0\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll2021-06-23 21:04:23.900 10341000x800000000000000020726Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.868{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B703-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020725Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.853{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B703-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020724Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.853{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B703-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020723Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.824{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B603-00000000CF01}4844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020722Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.790{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B603-00000000CF01}4844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020721Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.790{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B603-00000000CF01}4844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020720Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:23.775{4DB9351A-A1D7-60D3-B503-00000000CF01}7032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b78-0\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll2021-06-23 21:04:23.775 23542300x800000000000000020719Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.618{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BFE71A8E045F96AAC47CFA88F5FB63,SHA256=692672E8DECDF131581878671F4C51282AD961F9372B81F7B17EC0223D391850,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020718Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.571{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B503-00000000CF01}7032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020717Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.556{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B503-00000000CF01}7032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020716Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.556{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B503-00000000CF01}7032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020715Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.462{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B403-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020714Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.446{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B403-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020713Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.446{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B403-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020712Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:23.431{4DB9351A-A1D7-60D3-B303-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e84-0\Microsoft.SecureBoot.Commands.dll2021-06-23 21:04:23.431 23542300x800000000000000020711Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.400{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B010DAF68A202C0AD80A3E909B3ABF0,SHA256=F3D35D1B45223B49CF9078295F808153D4605235F3D6C3B450AA5266FCFD9EA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020710Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.368{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B303-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020709Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.353{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B303-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020708Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.353{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B303-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020707Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.306{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B203-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020706Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.290{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B203-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020705Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.290{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B203-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020704Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:23.228{4DB9351A-A1D6-60D3-B103-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\cb8-0\Microsoft.RightsManagementServices.ServerManager.DeploymentPlugin.dll2021-06-23 21:04:23.228 23542300x800000000000000020767Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.978{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB8EEB7A964CB722EF9EBDE84CEEF5A,SHA256=F95D9AE7343C2024A0328451DD5BDFF8EFE7DBA68B43BC879646EBC5629489B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020766Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.962{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-C203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020765Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.946{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-C203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020764Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.946{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-C203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020763Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:24.931{4DB9351A-A1D8-60D3-C103-00000000CF01}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\60-0\Microsoft.Security.Powershell.Cmdlets.dll2021-06-23 21:04:24.931 10341000x800000000000000020762Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.884{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-C103-00000000CF01}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020761Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.868{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-C103-00000000CF01}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020760Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.868{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-C103-00000000CF01}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020759Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.821{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-C003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020758Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.806{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-C003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020757Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.806{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-C003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020756Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:24.775{4DB9351A-A1D8-60D3-BF03-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bcc-0\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.dll2021-06-23 21:04:24.775 10341000x800000000000000020755Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.587{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-BF03-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020754Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.556{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-BF03-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020753Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.556{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-BF03-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020752Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.525{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45685F56E9CD761AF4D290EC704CB385,SHA256=AD21B269102AC7F483D5BAF59A83AA5000EC960745ECC2A5A41A0452A898B467,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020751Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.509{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-BE03-00000000CF01}2796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020750Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.493{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-BE03-00000000CF01}2796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020749Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.493{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-BE03-00000000CF01}2796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020748Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:24.478{4DB9351A-A1D8-60D3-BD03-00000000CF01}7164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bfc-0\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll2021-06-23 21:04:24.478 10341000x800000000000000020747Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.431{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-BD03-00000000CF01}7164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020746Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.415{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-BD03-00000000CF01}7164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020745Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.415{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-BD03-00000000CF01}7164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020744Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.384{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-BC03-00000000CF01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020743Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.368{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-BC03-00000000CF01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020742Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.368{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-BC03-00000000CF01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020741Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:24.337{4DB9351A-A1D8-60D3-BB03-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f50-0\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll2021-06-23 21:04:24.337 10341000x800000000000000020740Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.243{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-BB03-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020739Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.212{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-BB03-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020738Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.212{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-BB03-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020737Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.166{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-BA03-00000000CF01}4296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020736Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.150{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-BA03-00000000CF01}4296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020735Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.150{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-BA03-00000000CF01}4296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020734Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:24.134{4DB9351A-A1D7-60D3-B903-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15d8-0\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll2021-06-23 21:04:24.134 10341000x800000000000000020733Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.993{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B903-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020786Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.775{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D9-60D3-C703-00000000CF01}5600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020785Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.759{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D9-60D3-C703-00000000CF01}5600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020784Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.759{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D9-60D3-C703-00000000CF01}5600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020783Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.650{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4B2435C1880DF9F60CB6DC31978A246,SHA256=5D7C8F5D43D2D836C4BAA1B921BCF1324354618171E40DB56D424788155DCDCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020782Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.650{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D9-60D3-C603-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020781Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.618{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D9-60D3-C603-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020780Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.618{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D9-60D3-C603-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020779Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:25.587{4DB9351A-A1D9-60D3-C503-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\c0c-0\Microsoft.Tpm.Commands.dll2021-06-23 21:04:25.587 10341000x800000000000000020778Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.478{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D9-60D3-C503-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020777Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.462{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D9-60D3-C503-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020776Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.462{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D9-60D3-C503-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020775Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.415{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D9-60D3-C403-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020774Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.384{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D9-60D3-C403-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020773Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.384{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D9-60D3-C403-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020772Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:25.353{4DB9351A-A1D9-60D3-C303-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8c4-0\Microsoft.Storage.Vds.dll2021-06-23 21:04:25.353 354300x800000000000000020771Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.267{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61425-false10.0.1.12-8000- 10341000x800000000000000020770Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.025{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D9-60D3-C303-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020769Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.009{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D9-60D3-C303-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020768Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.009{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D9-60D3-C303-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020800Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.837{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DA-60D3-CA03-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020799Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.806{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1DA-60D3-CA03-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020798Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.806{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DA-60D3-CA03-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020797Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.760{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0880C0B0C9D61552DC80E6C86C9CC724,SHA256=76C277288F29695DB42563AB4616A26FDB2FEE99AA11DEB7B2A6879BC370036B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020796Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:26.728{4DB9351A-A1DA-60D3-C903-00000000CF01}6768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a70-0\Microsoft.Transactions.Bridge.Dtc.dll2021-06-23 21:04:26.728 10341000x800000000000000020795Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.571{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DA-60D3-C903-00000000CF01}6768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020794Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.556{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DA-60D3-C903-00000000CF01}6768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020793Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.556{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DA-60D3-C903-00000000CF01}6768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020792Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.447{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DA-60D3-C803-00000000CF01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020791Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.431{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1DA-60D3-C803-00000000CF01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020790Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.415{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DA-60D3-C803-00000000CF01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020789Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:26.321{4DB9351A-A1D9-60D3-C703-00000000CF01}5600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15e0-0\Microsoft.Transactions.Bridge.dll2021-06-23 21:04:26.321 23542300x800000000000000020788Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.134{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=46FA1A6785772762AF52E677174E176C,SHA256=1542F9D33514F41CB767B78CB407C16D62F93AE97BF8D1F05DDB2C73974027F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020787Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.103{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCDA3670D8B112863E996B3E772B3FF,SHA256=0E1128FB84D58C9EB8324796ED487F45A77D7243E460FF4825A4883FF9FE16F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020816Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.915{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DB-60D3-CE03-00000000CF01}6504C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020815Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.899{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DB-60D3-CE03-00000000CF01}6504C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020814Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.899{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DB-60D3-CE03-00000000CF01}6504C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020813Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:27.821{4DB9351A-A1DB-60D3-CD03-00000000CF01}6544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1990-0\Microsoft.VisualBasic.Activities.Compiler.dll2021-06-23 21:04:27.821 23542300x800000000000000020812Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.806{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A8811025D191182E95626003990DAD6,SHA256=897CF2DF1171C0BF8EAB6DD65D57D54501A5A1E74B617FD39BD707F78DE9757B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020811Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.478{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DB-60D3-CD03-00000000CF01}6544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020810Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.463{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1DB-60D3-CD03-00000000CF01}6544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020809Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.463{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DB-60D3-CD03-00000000CF01}6544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020808Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.290{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DB-60D3-CC03-00000000CF01}2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020807Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.274{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DB-60D3-CC03-00000000CF01}2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020806Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.274{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DB-60D3-CC03-00000000CF01}2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020805Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:27.243{4DB9351A-A1DB-60D3-CB03-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8b4-0\Microsoft.UpdateServices.SMPlugin.dll2021-06-23 21:04:27.228 23542300x800000000000000020804Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.118{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50401B0B6C7550890626C7FB0CE6FC4,SHA256=1E4B92DD733C3F8684A035E458D0C275627FCAEFEAB626C5249FD169ED29E1F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020803Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.071{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DB-60D3-CB03-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020802Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.024{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DB-60D3-CB03-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020801Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.024{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DB-60D3-CB03-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020821Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:28.916{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=050D24C04FE7B4BA77804ED3CE8287CE,SHA256=713B98D71573946980D2D69D226FFDB6E3B3C522A25BDB3F01D09208EB2E671F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020820Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:28.165{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DC-60D3-CF03-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020819Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:28.150{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DC-60D3-CF03-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020818Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:28.150{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DC-60D3-CF03-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020817Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:28.134{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA2B8405185CD218A9A5D359CED0744,SHA256=A6CAF74A38C33DD1CFCF69BEFE1B52006D6AF621808305D2C420612687EB8C0C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020839Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:29.946{4DB9351A-A1DD-60D3-D303-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\fec-0\Microsoft.VisualC.dll2021-06-23 21:04:29.946 10341000x800000000000000020838Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.900{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DD-60D3-D303-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020837Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.853{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DD-60D3-D303-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020836Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.853{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DD-60D3-D303-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020835Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.837{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DD-60D3-D203-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020834Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.821{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1DD-60D3-D203-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020833Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.821{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DD-60D3-D203-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020832Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:29.696{4DB9351A-A1DD-60D3-D103-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\c34-0\Microsoft.VisualBasic.Compatibility.Data.dll2021-06-23 21:04:29.696 23542300x800000000000000020831Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.415{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=105930C7BBE437BABEF9A72B4D7E1957,SHA256=71700865071BECB932832A63343FE3E27074EBF3450401FE13CBAE1479DFDB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020830Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.415{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C1EE506BB9DA5CC7A3C64B2B5A08634F,SHA256=0EFEB4F6F0BFF9C29F679F5DCB696EA59B53D52560EE6EB28CEA1BFDFE114C1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020829Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.369{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DD-60D3-D103-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020828Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.337{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1DD-60D3-D103-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020827Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.337{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DD-60D3-D103-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020826Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.243{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DD-60D3-D003-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020825Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.212{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DD-60D3-D003-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020824Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.212{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DD-60D3-D003-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020823Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.165{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E2F97387F65F9E8380DA7031AC94A0,SHA256=12DE876D89FEC97F0F30D501B2846825EB897751E78D86A2ABD545B598351D06,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020822Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:29.088{4DB9351A-A1DC-60D3-CF03-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1060-0\Microsoft.VisualBasic.Compatibility.dll2021-06-23 21:04:29.088 11241100x800000000000000020849Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:30.990{4DB9351A-A1DE-60D3-D503-00000000CF01}420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a4-0\Microsoft.Windows.DeploymentServices.ServerManager.Plugin.dll2021-06-23 21:04:30.990 10341000x800000000000000020848Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.678{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DE-60D3-D503-00000000CF01}420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020847Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.662{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1DE-60D3-D503-00000000CF01}420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020846Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.662{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DE-60D3-D503-00000000CF01}420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000020845Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:28.313{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61426-false10.0.1.12-8000- 23542300x800000000000000020844Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.241{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33B6DFFEDE53430BFA0D83FCB9E1817F,SHA256=FDC3EF513CF0FB5C44AD19933BC821103E82269EF61A104A18F71CF2A7AB64C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020843Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.194{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4088BC99651ADF05F50942B5F799476,SHA256=00AC18EF93F3FC1D0E90BEE0485E983871F13A7D06E9ADF89B41E917EBED713D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020842Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.087{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DE-60D3-D403-00000000CF01}3656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020841Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.040{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DE-60D3-D403-00000000CF01}3656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020840Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.040{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DE-60D3-D403-00000000CF01}3656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020889Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.990{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-E003-00000000CF01}5288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020888Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.959{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-E003-00000000CF01}5288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020887Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.959{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-E003-00000000CF01}5288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020886Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:31.944{4DB9351A-A1DF-60D3-DF03-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\17c0-0\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.dll2021-06-23 21:04:31.944 10341000x800000000000000020885Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.912{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-DF03-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020884Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.897{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-DF03-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020883Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.897{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-DF03-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020882Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.850{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-DE03-00000000CF01}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020881Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.834{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-DE03-00000000CF01}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020880Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.834{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-DE03-00000000CF01}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020879Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:31.803{4DB9351A-A1DF-60D3-DD03-00000000CF01}2648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a58-0\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.dll2021-06-23 21:04:31.803 10341000x800000000000000020878Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.756{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-DD03-00000000CF01}2648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020877Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.740{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-DD03-00000000CF01}2648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020876Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.740{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-DD03-00000000CF01}2648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020875Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.709{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B807BF3D360153F665C5D2F888C4B430,SHA256=424085B62904914D192FCF0789A3E7988437D7B738498387891DAA156870AE11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020874Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.694{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-DC03-00000000CF01}5912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020873Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.678{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-DC03-00000000CF01}5912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020872Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.678{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-DC03-00000000CF01}5912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020871Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:31.662{4DB9351A-A1DF-60D3-DB03-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\bd8-0\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.dll2021-06-23 21:04:31.662 10341000x800000000000000020870Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.600{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-DB03-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020869Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.584{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-DB03-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020868Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.584{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-DB03-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020867Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.506{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-DA03-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020866Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.490{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-DA03-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020865Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.490{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-DA03-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020864Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:31.475{4DB9351A-A1DF-60D3-D903-00000000CF01}1272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8-0\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.dll2021-06-23 21:04:31.475 10341000x800000000000000020863Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.428{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-D903-00000000CF01}1272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020862Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.397{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-D903-00000000CF01}1272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020861Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.397{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-D903-00000000CF01}1272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020860Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.334{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-D803-00000000CF01}5764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020859Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.319{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-D803-00000000CF01}5764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020858Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.319{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-D803-00000000CF01}5764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020857Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:31.287{4DB9351A-A1DF-60D3-D703-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1920-0\Microsoft.Windows.DeviceHealthAttestation.Plugin.dll2021-06-23 21:04:31.287 23542300x800000000000000020856Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.194{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824D041FE0E772B84CF2B0E0602D0095,SHA256=F9C2CBDF8EF115369860BF898AE94C9198981687B12E16219C873232C5C1A711,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020855Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.178{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-D703-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020854Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.147{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-D703-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020853Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.147{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-D703-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020852Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.053{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-D603-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020851Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.022{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-D603-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020850Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.022{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-D603-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020927Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.865{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-EA03-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020926Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.850{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-EA03-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020925Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.850{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-EA03-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020924Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:32.818{4DB9351A-A1E0-60D3-E903-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18bc-0\Microsoft.Windows.Dns.dll2021-06-23 21:04:32.818 23542300x800000000000000020923Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.772{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B72973E267D9A6EA5B12C2FFF3F5A5C,SHA256=AF24EB44B04FD47647211F4FDF837315A43F3FACFE006C2739104BD00DE92A60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020922Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.740{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E903-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020921Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.725{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E903-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020920Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.725{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E903-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020919Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.662{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E803-00000000CF01}6772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020918Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.647{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E803-00000000CF01}6772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020917Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.647{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E803-00000000CF01}6772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020916Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:32.631{4DB9351A-A1E0-60D3-E703-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1704-0\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll2021-06-23 21:04:32.631 10341000x800000000000000020915Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.537{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E703-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020914Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.522{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E703-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020913Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.522{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E703-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020912Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.443{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E603-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020911Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.428{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E603-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020910Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.428{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E603-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020909Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:32.412{4DB9351A-A1E0-60D3-E503-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\440-0\Microsoft.Windows.Diagnosis.SDHost.dll2021-06-23 21:04:32.412 10341000x800000000000000020908Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.334{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E503-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020907Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.318{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E503-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020906Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.318{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E503-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020905Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.256{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD1474A8ABC050AF8383BD64257AACA,SHA256=DD2326C8A04CEF884CEEE4B87AA0AADC45BDF3E58F8D2A9998633CF444C49E6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020904Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.240{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E403-00000000CF01}7156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020903Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.209{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CBA67371F3076E4D541C0C9A9079D7,SHA256=7F1AAA23CCA11D0A11F94432C5EFF8D1B75D605A13053B71FB2562B117B45E1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020902Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.209{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E403-00000000CF01}7156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020901Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.209{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E403-00000000CF01}7156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020900Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:32.178{4DB9351A-A1E0-60D3-E303-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1664-0\Microsoft.Windows.Diagnosis.SDEngine.dll2021-06-23 21:04:32.178 10341000x800000000000000020899Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.147{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E303-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020898Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.131{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E303-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020897Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.131{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E303-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020896Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.100{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E203-00000000CF01}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020895Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.084{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E203-00000000CF01}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020894Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.084{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E203-00000000CF01}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020893Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:32.069{4DB9351A-A1E0-60D3-E103-00000000CF01}5648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1610-0\Microsoft.Windows.Diagnosis.SDCommon.dll2021-06-23 21:04:32.069 10341000x800000000000000020892Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.037{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E103-00000000CF01}5648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020891Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.022{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E103-00000000CF01}5648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020890Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.022{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E103-00000000CF01}5648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020939Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.975{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E1-60D3-ED03-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020938Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.959{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1E1-60D3-ED03-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020937Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.959{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E1-60D3-ED03-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020936Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.897{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E1-60D3-EC03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020935Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.881{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1E1-60D3-EC03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020934Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.881{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E1-60D3-EC03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020933Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.881{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D964D6B689B5302CBE62085B24E1F954,SHA256=6E7BC6CE0ED2C24FF2F232702B83F41FFCB3055A23B4B553FC312277436D426D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020932Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:33.834{4DB9351A-A1E1-60D3-EB03-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1114-0\Microsoft.Windows.DSC.CoreConfProviders.dll2021-06-23 21:04:33.834 23542300x800000000000000020931Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.256{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F7EDFD9300BEBFB304DA832B0C0B78,SHA256=016F373452BCD7C2E02074D1D612EB5074BAF5F8AE38FE648884D74F97518C52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020930Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.100{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E1-60D3-EB03-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020929Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.084{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E1-60D3-EB03-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020928Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.084{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E1-60D3-EB03-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020948Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.928{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E7826BFA441D41D8905E859C84EE1FC,SHA256=3E3A22830A2DF759EA841174FA07A2A1F874BAE8E80555B7D3F0DE57163EBB79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020947Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.537{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E2-60D3-EF03-00000000CF01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020946Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.522{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1E2-60D3-EF03-00000000CF01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020945Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.522{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E2-60D3-EF03-00000000CF01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020944Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.381{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E2-60D3-EE03-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020943Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.365{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1E2-60D3-EE03-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020942Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.365{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E2-60D3-EE03-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020941Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:34.334{4DB9351A-A1E1-60D3-ED03-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a88-0\Microsoft.Windows.FileServer.Management.Common.dll2021-06-23 21:04:34.334 23542300x800000000000000020940Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.287{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DCC72F4405804C8B7AB947DE4F515E,SHA256=4E78397F312FCD147A1AB9F490D98BEFA51023A185DA9FE4A88488B15693983C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020950Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.202{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61427-false10.0.1.12-8000- 23542300x800000000000000020949Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:35.318{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62894FD304237F61C88A89FFD899E458,SHA256=D24532FC84485E26A77986C21A6F6F43AF68B311AB1D2C7DA423E86CC44322A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020951Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:36.318{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1874781E62C0D187ACDD9452573825F1,SHA256=4BE95BDCC7580A04DE16FCCE36DFEF2D329AB8DD0668DC176FA89B0D139740D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020956Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:37.850{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E5-60D3-F003-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020955Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:37.756{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1E5-60D3-F003-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020954Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:37.756{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E5-60D3-F003-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020953Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:37.537{4DB9351A-A1E2-60D3-EF03-00000000CF01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\138c-0\Microsoft.Windows.FileServer.Management.Plugin.dll2021-06-23 21:04:37.537 23542300x800000000000000020952Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:37.334{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0593524B4D4E7B470246CA364101F8F,SHA256=FDC7D2524FFBC4D5A5033A406DE38ADDBC76D8A7B57840EFA17ECCA9BF5C2EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020961Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:38.772{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45B0D42F221239BBDA19A2CFED660B51,SHA256=2FC9CEF80CB58ABFDAA406A403654E92CF305511FAC7DAAE6355C0D877060A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020960Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:38.381{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45C0BD44D31C5FEFD01ED6C37D98B8D,SHA256=DC28EF5B4A7C9190979A5B51D26AF7F1DE16CF767D71A18F3E8C35856DC5E493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020959Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:38.162{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E6-60D3-F103-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020958Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:38.131{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E6-60D3-F103-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020957Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:38.131{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E6-60D3-F103-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020963Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:39.384{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A02C17B7F126582949E64C8CD8CC9F,SHA256=0A06AF8728A9D539314AAC8149AD6C96FBFE0ACB5FD6681158088739F8EB3B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020962Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:39.100{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020965Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:39.140{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61428-false10.0.1.12-8089- 23542300x800000000000000020964Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:40.397{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50ECA3E65D0F954803C69267DAEE54FC,SHA256=0DA8AAD5545FFB219AE62639462009F8A834EF734EAA545914CAB27FB6318B41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020971Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:40.217{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61429-false10.0.1.12-8000- 10341000x800000000000000020970Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:41.818{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E9-60D3-F203-00000000CF01}6740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020969Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:41.740{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E9-60D3-F203-00000000CF01}6740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020968Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:41.740{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E9-60D3-F203-00000000CF01}6740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020967Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:41.553{4DB9351A-A1E6-60D3-F103-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a4c-0\Microsoft.Windows.FileServer.Management.Plugin.UI.dll2021-06-23 21:04:41.537 23542300x800000000000000020966Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:41.443{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BF1C364FE4B0568BF3AA368C1BCE41,SHA256=DD3DA79F35875BE3DCE4E5DC7F001DBE808FCDFF6B7CE9AC500FBE8E25DE7311,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020991Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:42.975{4DB9351A-A1EA-60D3-F703-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ad0-0\Microsoft.Windows.ServerManager.Activities.dll2021-06-23 21:04:42.975 10341000x800000000000000020990Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.865{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EA-60D3-F703-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020989Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.850{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EA-60D3-F703-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020988Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.850{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EA-60D3-F703-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020987Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.772{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EA-60D3-F603-00000000CF01}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020986Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.756{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EA-60D3-F603-00000000CF01}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020985Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.756{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EA-60D3-F603-00000000CF01}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020984Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.740{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6EF10551835EE6D9A064A7513EED59B,SHA256=A95EE36D40501279941CC786EE58947FC812999033A23F936534DED9C819B79A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020983Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:42.725{4DB9351A-A1EA-60D3-F503-00000000CF01}6884C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ae4-0\Microsoft.Windows.HostGuardianService.Plugin.dll2021-06-23 21:04:42.725 10341000x800000000000000020982Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.615{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EA-60D3-F503-00000000CF01}6884C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020981Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.584{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EA-60D3-F503-00000000CF01}6884C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020980Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.584{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EA-60D3-F503-00000000CF01}6884C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020979Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.459{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0688E0F6F68DC071236C824CD3BAAD5F,SHA256=EF2E3D789E4414AA1641F0F7E5261B3021CE80366D2C78F7521F11D03862D474,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020978Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.459{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EA-60D3-F403-00000000CF01}1768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020977Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.381{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1EA-60D3-F403-00000000CF01}1768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020976Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.365{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EA-60D3-F403-00000000CF01}1768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020975Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:42.334{4DB9351A-A1EA-60D3-F303-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b54-0\Microsoft.Windows.FileServer.Management.ServerManagerProxy.dll2021-06-23 21:04:42.334 10341000x800000000000000020974Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.022{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EA-60D3-F303-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020973Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:41.990{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EA-60D3-F303-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020972Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:41.990{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EA-60D3-F303-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021006Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.865{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6B211C9CA900664CC7CC6EA16DD6553,SHA256=4C155E14E8052B2C7F33C5760DA95D1CE40B2C56B01A4C2EF33BD59B3C00F333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021005Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.522{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC663DE9AF98071979D392EE52A2CF7E,SHA256=74C776DE0579186F7C7D5129FFC772948B429BF8719F4B338A7F74DA3840AE93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021004Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.397{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EB-60D3-FB03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021003Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.365{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1EB-60D3-FB03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021002Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.365{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EB-60D3-FB03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021001Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.256{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EB-60D3-FA03-00000000CF01}6260C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021000Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.225{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EB-60D3-FA03-00000000CF01}6260C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020999Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.225{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EB-60D3-FA03-00000000CF01}6260C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020998Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:43.193{4DB9351A-A1EB-60D3-F903-00000000CF01}3960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f78-0\Microsoft.Windows.ServerManager.BitLocker.Plugin.dll2021-06-23 21:04:43.193 10341000x800000000000000020997Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.116{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EB-60D3-F903-00000000CF01}3960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020996Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.084{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EB-60D3-F903-00000000CF01}3960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020995Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.084{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EB-60D3-F903-00000000CF01}3960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020994Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.022{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EB-60D3-F803-00000000CF01}7064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020993Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.006{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1EB-60D3-F803-00000000CF01}7064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020992Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.006{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EB-60D3-F803-00000000CF01}7064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021007Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:44.600{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67E9C4D88832C3B2D377736B8F54ADA,SHA256=A5FE5E5BB597835C4C7D6C009C8AE7E6132EEE837561C1FA013401C77FF166AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021009Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:45.959{4DB9351A-A1EB-60D3-FB03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\5c-0\Microsoft.Windows.ServerManager.Common.dll2021-06-23 21:04:45.943 23542300x800000000000000021008Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:45.615{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2E717AF64E1AAC67875A561B909267,SHA256=242238B897721EF931FB6A2B34B67E2199D1EF733CA39A402AC9968E5DD9E68F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021031Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.912{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EE-60D3-0104-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021030Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.896{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EE-60D3-0104-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021029Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.896{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EE-60D3-0104-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021028Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.834{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F0829CDC056144F1460C2ABE463E49E,SHA256=CA01D86F65E9CAEADC614451D76E41C7CE29179B650D24D8ED1A80AC8596B48C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021027Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.818{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EE-60D3-0004-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021026Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.787{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EE-60D3-0004-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021025Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.787{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EE-60D3-0004-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021024Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:46.756{4DB9351A-A1EE-60D3-FF03-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bb8-0\Microsoft.Windows.ServerManager.DhcpServer.Plugin.dll2021-06-23 21:04:46.756 23542300x800000000000000021023Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.646{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A2A9C071625C57CC677A807DA6F4BD,SHA256=8AB2ABA13C31CF425B27EFF0256939F8E0ED723D401D9BE2C681249DD70CAA5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021022Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.522{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EE-60D3-FF03-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021021Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.506{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EE-60D3-FF03-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021020Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.506{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EE-60D3-FF03-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021019Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.412{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EE-60D3-FE03-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021018Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.381{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EE-60D3-FE03-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021017Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.381{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EE-60D3-FE03-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021016Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:46.365{4DB9351A-A1EE-60D3-FD03-00000000CF01}5768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1688-0\Microsoft.Windows.ServerManager.Deployment.Extension.dll2021-06-23 21:04:46.365 10341000x800000000000000021015Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.261{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EE-60D3-FD03-00000000CF01}5768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021014Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.240{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EE-60D3-FD03-00000000CF01}5768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021013Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.240{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EE-60D3-FD03-00000000CF01}5768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021012Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.178{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EE-60D3-FC03-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021011Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.163{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EE-60D3-FC03-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021010Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.163{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EE-60D3-FC03-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000021053Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.990{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EF-60D3-0704-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021052Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.990{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EF-60D3-0704-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021051Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.928{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4859EA36B06AA0465117F73C595C6834,SHA256=D2F1E826763110198C2F863FAD39215BF5D4110BEE4694B76AE2827C7E0C9363,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021050Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.896{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EF-60D3-0604-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021049Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.865{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1EF-60D3-0604-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021048Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.865{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EF-60D3-0604-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021047Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:47.850{4DB9351A-A1EF-60D3-0504-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f64-0\Microsoft.Windows.ServerManager.Ipam.Plugin.dll2021-06-23 21:04:47.850 10341000x800000000000000021046Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.787{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EF-60D3-0504-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021045Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.771{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EF-60D3-0504-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021044Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.771{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EF-60D3-0504-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021043Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.709{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D6A3AD2A8DA25A840F7D4D490348E1,SHA256=30735BEE47EAF72C8FFE903ADA5C0D3494C654D97385345D19F4F0117290E404,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021042Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.663{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EF-60D3-0404-00000000CF01}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021041Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.631{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EF-60D3-0404-00000000CF01}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021040Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.631{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EF-60D3-0404-00000000CF01}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021039Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:47.600{4DB9351A-A1EF-60D3-0304-00000000CF01}7012C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b64-0\Microsoft.Windows.ServerManager.HyperV.Plugin.dll2021-06-23 21:04:47.600 10341000x800000000000000021038Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.303{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EF-60D3-0304-00000000CF01}7012C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021037Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.271{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EF-60D3-0304-00000000CF01}7012C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021036Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.271{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EF-60D3-0304-00000000CF01}7012C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021035Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.147{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EF-60D3-0204-00000000CF01}3416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021034Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.131{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EF-60D3-0204-00000000CF01}3416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021033Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.131{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EF-60D3-0204-00000000CF01}3416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021032Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:47.084{4DB9351A-A1EE-60D3-0104-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ba4-0\Microsoft.Windows.ServerManager.FaxServer.Plugin.dll2021-06-23 21:04:47.084 23542300x800000000000000021064Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.990{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36C88C10C92CFFF2DDC4A2E04FA8DC18,SHA256=E1D70EDE48BCC7339DAEE598CBF2396C76322C344E9B0E3EEE029E6FDECFF77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021063Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.818{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4F32B58970903D3F6ED1F727047553,SHA256=E2089BE830293952CAF3C65E5E00E22858583D5F02B1360EECF78D84914B5461,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021062Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.725{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F0-60D3-0904-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021061Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.693{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F0-60D3-0904-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021060Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.693{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F0-60D3-0904-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021059Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.194{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F0-60D3-0804-00000000CF01}3356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021058Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.178{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F0-60D3-0804-00000000CF01}3356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021057Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.178{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F0-60D3-0804-00000000CF01}3356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021056Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:48.146{4DB9351A-A1EF-60D3-0704-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\154c-0\Microsoft.Windows.ServerManager.NPASRole.Plugin.dll2021-06-23 21:04:48.146 354300x800000000000000021055Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.170{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61430-false10.0.1.12-8000- 10341000x800000000000000021054Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.006{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EF-60D3-0704-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021065Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:49.834{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C343E0D756013E235F71277F953BD97,SHA256=E66DCAF849C41EC78ACBAB634088F36E814E1BB624817F8462F45D7BB4137282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021066Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:50.906{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D3292B9A40070E0548C944B34826E0,SHA256=666F2DD24B5ACB17647652989DF0D7BF384261C6C430A5DE5691BC139531B07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021067Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:51.918{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A713CC14FE9589644B8842009F976F7B,SHA256=E191D32E512C855D3F475C08111BCDB9EFF4B577DE201452A00653A42353AA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021068Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:52.997{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050C48D1A8587B1C88C4DDF830B5711C,SHA256=19E3A4F7A381B69E7B43D03930E899FD9A796D8AA3F92E1787EC53BA3E3CEA3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021085Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.950{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F5-60D3-0C04-00000000CF01}6736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021084Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.935{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F5-60D3-0C04-00000000CF01}6736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021083Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.935{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F5-60D3-0C04-00000000CF01}6736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021082Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.856{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F5-60D3-0B04-00000000CF01}7104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021081Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.778{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F5-60D3-0B04-00000000CF01}7104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021080Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.778{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F5-60D3-0B04-00000000CF01}7104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021079Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.528{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A531BCDF756A24B0D8B34E560401FB9,SHA256=81D2508810CB4842D93730F5714FA0139C265044C33DF5B1FF437789F1231295,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021078Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:53.497{4DB9351A-A1F0-60D3-0904-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f00-0\Microsoft.Windows.ServerManager.Plugins.Ipam.dll2021-06-23 21:04:53.497 10341000x800000000000000021077Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1F5-60D3-0A04-00000000CF01}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021076Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021075Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021074Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021073Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021072Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F5-60D3-0A04-00000000CF01}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021071Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1F5-60D3-0A04-00000000CF01}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021070Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.107{4DB9351A-A1F5-60D3-0A04-00000000CF01}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000021069Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:51.254{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61431-false10.0.1.12-8000- 10341000x800000000000000021119Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.981{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F6-60D3-1404-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021118Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.965{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-1404-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021117Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.965{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F6-60D3-1404-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021116Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.825{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10C262DDBA9ECF5ED2DE552E9EA9A077,SHA256=513841FBE26EFEF860502C13B8EFCCF74D6000F78CA309A79B5BF4646C9867FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021115Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.793{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F6-60D3-1204-00000000CF01}1072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021114Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.778{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-1204-00000000CF01}1072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021113Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.778{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F6-60D3-1204-00000000CF01}1072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021112Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:54.747{4DB9351A-A1F6-60D3-1104-00000000CF01}4960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1360-0\Microsoft.Windows.ServerManager.RemoteAccess.Plugin.dll2021-06-23 21:04:54.747 10341000x800000000000000021111Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.575{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F6-60D3-1104-00000000CF01}4960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021110Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.559{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-1104-00000000CF01}4960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021109Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.559{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F6-60D3-1104-00000000CF01}4960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021108Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.497{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F6-60D3-1004-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021107Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.481{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-1004-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021106Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.481{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F6-60D3-1004-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021105Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:54.465{4DB9351A-A1F6-60D3-0F04-00000000CF01}3816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ee8-0\Microsoft.Windows.ServerManager.PrintingServer.Plugin.dll2021-06-23 21:04:54.465 10341000x800000000000000021104Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.387{4DB9351A-A1F5-60D3-0D04-00000000CF01}66526624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021103Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.356{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F6-60D3-0F04-00000000CF01}3816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021102Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.325{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-0F04-00000000CF01}3816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021101Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.325{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F6-60D3-0F04-00000000CF01}3816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021100Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.262{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F6-60D3-0E04-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000021099Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:52.583{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61432-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000021098Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:52.583{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61432-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 10341000x800000000000000021097Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.247{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-0E04-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021096Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.247{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F6-60D3-0E04-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021095Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:54.215{4DB9351A-A1F5-60D3-0C04-00000000CF01}6736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a50-0\Microsoft.Windows.ServerManager.PowerShell.dll2021-06-23 21:04:54.215 10341000x800000000000000021094Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.137{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1F5-60D3-0D04-00000000CF01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021093Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.122{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021092Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.122{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021091Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.122{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021090Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.122{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021089Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.122{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1F5-60D3-0D04-00000000CF01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021088Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.122{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1F5-60D3-0D04-00000000CF01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021087Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.997{4DB9351A-A1F5-60D3-0D04-00000000CF01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021086Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.012{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F97461717714F97B5ED06DF4AE5E76,SHA256=DDC738EDD797B220B0AE0BC4BAB51F7B085FB072E4F17D849B9C70062D76CE5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021143Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.982{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F7-60D3-1704-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021142Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.982{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F7-60D3-1704-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021141Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1F7-60D3-1604-00000000CF01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021140Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021139Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021138Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021137Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1F7-60D3-1604-00000000CF01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021136Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021135Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1F7-60D3-1604-00000000CF01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021134Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.780{4DB9351A-A1F7-60D3-1604-00000000CF01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021133Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D80E669F7F2554D7099F108577E7022,SHA256=EA25C1251787C7FF826F5EF09AB186BED8C1FA09007D715A265D697E66345385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021132Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.717{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F7-60D3-1504-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021131Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.559{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F7-60D3-1504-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021130Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.559{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F7-60D3-1504-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021129Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:55.512{4DB9351A-A1F6-60D3-1404-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\280-0\Microsoft.Windows.ServerManager.ServerComponentDeploymentWizard.dll2021-06-23 21:04:55.512 23542300x800000000000000021128Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.293{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E43C7E682F1241BD2336A16C19B93E1,SHA256=38944113D7F2634E51C6A518386D4A4B6696994592E962B710EF72A8F1D0C614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021127Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1F6-60D3-1304-00000000CF01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021126Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021125Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021124Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021123Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021122Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-1304-00000000CF01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021121Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1F6-60D3-1304-00000000CF01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021120Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.888{4DB9351A-A1F6-60D3-1304-00000000CF01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021153Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.798{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F8-60D3-1904-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021152Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.767{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F8-60D3-1904-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021151Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.767{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F8-60D3-1904-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021150Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.576{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F8-60D3-1804-00000000CF01}6804C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021149Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.545{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F8-60D3-1804-00000000CF01}6804C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021148Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.545{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F8-60D3-1804-00000000CF01}6804C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021147Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:56.498{4DB9351A-A1F7-60D3-1704-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\16c4-0\Microsoft.Windows.ServerManager.ServerComponentManager.dll2021-06-23 21:04:56.498 23542300x800000000000000021146Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.404{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A680053146FD693DE04919BE6B9010E,SHA256=02E875EB61F0F6686C09E4CBBB36D937D7AEF8B10DCF3619A12170FF065129D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021145Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.154{4DB9351A-A1F7-60D3-1604-00000000CF01}65925328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021144Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.998{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F7-60D3-1704-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021189Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.973{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-2104-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021188Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.942{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-2104-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021187Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.942{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-2104-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021186Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:04:57.880{4DB9351A-A1F9-60D3-2004-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1af0-0\Microsoft.Workflow.Compiler.exe2021-06-23 21:04:57.880 10341000x800000000000000021185Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.817{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-2004-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021184Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.770{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-2004-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021183Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.770{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-2004-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021182Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.580{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-1F04-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021181Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.564{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B533A7D1946950ED0CFF3E04F67F8C,SHA256=9E09FEF25963727D487DE8620A164294D4B4C7318E2F9D9ED6FF017C63AEEC03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021180Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.564{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-1F04-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021179Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.548{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-1F04-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021178Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:57.533{4DB9351A-A1F9-60D3-1E04-00000000CF01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\12a0-0\Microsoft.WindowsSearch.Commands.dll2021-06-23 21:04:57.533 10341000x800000000000000021177Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.455{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-1E04-00000000CF01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021176Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.439{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-1E04-00000000CF01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021175Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.439{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-1E04-00000000CF01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021174Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.392{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-1D04-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021173Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.376{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-1D04-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021172Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.376{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-1D04-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021171Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:57.345{4DB9351A-A1F9-60D3-1C04-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f98-0\Microsoft.WindowsAuthenticationProtocols.Commands.dll2021-06-23 21:04:57.345 10341000x800000000000000021170Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.314{4DB9351A-A1F9-60D3-1B04-00000000CF01}65845332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021169Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.236{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-1C04-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021168Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.205{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-1C04-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021167Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.205{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-1C04-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021166Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1F9-60D3-1B04-00000000CF01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021165Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021164Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021163Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021162Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021161Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-1A04-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021160Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-1B04-00000000CF01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021159Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1F9-60D3-1B04-00000000CF01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021158Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-A1F9-60D3-1B04-00000000CF01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021157Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.048{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-1A04-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021156Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.048{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-1A04-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021155Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.017{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=953BC35F7C12B66C87D7F909CD2199A7,SHA256=EB9AFDC833A88576C9C1EB869E16271C110A38283701B94E91E7B89D9DD9DE27,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021154Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:57.001{4DB9351A-A1F8-60D3-1904-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13ec-0\Microsoft.Windows.VolumeActivation.Plugin.dll2021-06-23 21:04:57.001 10341000x800000000000000021215Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.973{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FA-60D3-2604-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021214Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.958{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FA-60D3-2604-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021213Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.958{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FA-60D3-2604-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021212Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:58.926{4DB9351A-A1FA-60D3-2504-00000000CF01}1336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\538-0\Microsoft.WSMan.Management.Activities.dll2021-06-23 21:04:58.926 354300x800000000000000021211Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.134{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61433-false10.0.1.12-8000- 10341000x800000000000000021210Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.567{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FA-60D3-2504-00000000CF01}1336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021209Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.551{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FA-60D3-2504-00000000CF01}1336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021208Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.551{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FA-60D3-2504-00000000CF01}1336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021207Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.536{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D847252E005C1A0F30A06735E7CD1B9,SHA256=BD019B954C7D1A41DAAF0E74E3C27AE4EBAF50D2A5327FE36114130DEF812A08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021206Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.489{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FA-60D3-2404-00000000CF01}632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021205Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.473{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FA-60D3-2404-00000000CF01}632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021204Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.473{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FA-60D3-2404-00000000CF01}632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021203Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:58.442{4DB9351A-A1FA-60D3-2304-00000000CF01}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\196c-0\Microsoft.WSMan.Management.dll2021-06-23 21:04:58.442 10341000x800000000000000021202Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.411{4DB9351A-A1F9-60D3-2204-00000000CF01}63006648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021201Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1F9-60D3-2204-00000000CF01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021200Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021199Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021198Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021197Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021196Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-2204-00000000CF01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021195Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1F9-60D3-2204-00000000CF01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021194Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.990{4DB9351A-A1F9-60D3-2204-00000000CF01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021193Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.114{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FA-60D3-2304-00000000CF01}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021192Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.114{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4D55CE916C6209C92F01C056DC910D4,SHA256=1183586BE6E9E32C77D3CD57303D6895D892B6CED660288A047FA79530131A70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021191Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.083{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FA-60D3-2304-00000000CF01}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021190Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.083{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FA-60D3-2304-00000000CF01}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021235Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1FB-60D3-2A04-00000000CF01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021234Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021233Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021232Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021231Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021230Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FB-60D3-2A04-00000000CF01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021229Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1FB-60D3-2A04-00000000CF01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021228Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.679{4DB9351A-A1FB-60D3-2A04-00000000CF01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021227Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.551{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=928D9BB8E936F0457F01FD300B38688D,SHA256=ADCB705F0D24F484223409635C437557267D262F4824DB713E61EDCA779B29EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021226Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.536{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D4C0167892DC8700AF38499680E9D0,SHA256=55928265A6CEF07A493941ABC19FC20EF1DEA0B9566FE4977D305AE659A76C14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021225Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.176{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FB-60D3-2904-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021224Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.161{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FB-60D3-2904-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021223Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.161{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FB-60D3-2904-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021222Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.083{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FB-60D3-2804-00000000CF01}5308C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021221Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.067{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FB-60D3-2804-00000000CF01}5308C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021220Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.067{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FB-60D3-2804-00000000CF01}5308C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021219Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:59.051{4DB9351A-A1FB-60D3-2704-00000000CF01}3948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f6c-0\Microsoft.WSMan.Runtime.dll2021-06-23 21:04:59.051 10341000x800000000000000021218Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.020{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FB-60D3-2704-00000000CF01}3948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021217Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.005{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FB-60D3-2704-00000000CF01}3948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021216Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.005{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FB-60D3-2704-00000000CF01}3948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021241Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.926{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FC-60D3-2B04-00000000CF01}7152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021240Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.895{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FC-60D3-2B04-00000000CF01}7152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021239Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.895{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FC-60D3-2B04-00000000CF01}7152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021238Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:00.755{4DB9351A-A1FB-60D3-2904-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15b8-0\MIGUIControls.dll2021-06-23 21:05:00.755 23542300x800000000000000021237Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.677{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=079123BBF5982CE2BA28BA11EE664B09,SHA256=E0C858EA6262784E2F1C26CD45172135744969594951BEAB6C957C5EF353F762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021236Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.567{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7796D54D492669855FA59AD5B55848F,SHA256=8D3B346EC384C07C53812483FB8C7BBA2E12D1BF94728CD7F97B6BCCAD86B89F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021250Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:01.989{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FD-60D3-2D04-00000000CF01}7136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021249Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:01.958{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FD-60D3-2D04-00000000CF01}7136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021248Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:01.958{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FD-60D3-2D04-00000000CF01}7136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021247Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:01.923{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F14620E5A8B5051E4AE62BBC36674D2,SHA256=93EA22DC66B1EF8FE507368B244D974139650DEDAA3693875C7B21A09868FD07,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021246Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:01.864{4DB9351A-A1FC-60D3-2C04-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15ac-0\MMCEx.dll2021-06-23 21:05:01.864 23542300x800000000000000021245Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:01.645{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089A549C71C3095B22B888D0B28A415F,SHA256=236BB02CBEA0081D9401624D94E1D371D98EF0CBFF292F67C6F24EB87846D201,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021244Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:01.036{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FC-60D3-2C04-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021243Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.973{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FC-60D3-2C04-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021242Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.973{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FC-60D3-2C04-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021266Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.973{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEE70B70F4DCA6C830D5033BF6F533D5,SHA256=AAEDC3481EF589BD52D1AA626B900B2157F0130E8A2931BB92DEE2BD915A19F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021265Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.958{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FE-60D3-3104-00000000CF01}7128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021264Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.942{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1FE-60D3-3104-00000000CF01}7128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021263Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.942{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FE-60D3-3104-00000000CF01}7128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021262Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:05:02.882{4DB9351A-A1FE-60D3-3004-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\154c-0\MSBuild.exe2021-06-23 21:05:02.882 23542300x800000000000000021261Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.661{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451A7FFCF5A9A7D89D63577A6D4CF850,SHA256=874C8941B65D07B4428338E354CB50D3CC28D9215E045988FB6FCAEA2FC35B95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021260Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.536{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FE-60D3-3004-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021259Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.489{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FE-60D3-3004-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021258Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.489{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FE-60D3-3004-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021257Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.286{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FE-60D3-2F04-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021256Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.270{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FE-60D3-2F04-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021255Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.255{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FE-60D3-2F04-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021254Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:02.223{4DB9351A-A1FE-60D3-2E04-00000000CF01}3944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f68-0\MMCFxCommon.dll2021-06-23 21:05:02.223 10341000x800000000000000021253Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.098{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FE-60D3-2E04-00000000CF01}3944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021252Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.051{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FE-60D3-2E04-00000000CF01}3944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021251Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.051{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FE-60D3-2E04-00000000CF01}3944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000021285Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.263{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61434-false10.0.1.12-8000- 23542300x800000000000000021284Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.692{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C109CC1352D7EB0043356C9E9F8655FF,SHA256=1B4FC466D7CDB78AC5CDBDC6D76E024B60B176050B45549F1A1F95832D440C3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021283Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.551{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FF-60D3-3604-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021282Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.536{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1FF-60D3-3604-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021281Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.536{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FF-60D3-3604-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021280Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.380{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FF-60D3-3504-00000000CF01}7104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021279Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.364{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FF-60D3-3504-00000000CF01}7104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021278Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.364{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FF-60D3-3504-00000000CF01}7104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021277Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:03.333{4DB9351A-A1FF-60D3-3404-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f00-0\napinit.dll2021-06-23 21:05:03.333 10341000x800000000000000021276Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.239{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FF-60D3-3404-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021275Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.224{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FF-60D3-3404-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021274Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.224{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FF-60D3-3404-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021273Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.161{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FF-60D3-3304-00000000CF01}6728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021272Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.131{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1FF-60D3-3304-00000000CF01}6728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021271Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.131{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FF-60D3-3304-00000000CF01}6728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021270Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:03.114{4DB9351A-A1FF-60D3-3204-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1970-0\napcrypt.dll2021-06-23 21:05:03.098 10341000x800000000000000021269Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.051{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FF-60D3-3204-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021268Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.020{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1FF-60D3-3204-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021267Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.020{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FF-60D3-3204-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021312Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.942{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3D04-00000000CF01}5748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021311Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.926{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3D04-00000000CF01}5748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021310Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.926{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3D04-00000000CF01}5748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021309Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:04.880{4DB9351A-A200-60D3-3C04-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19fc-0\PresentationFramework-SystemDrawing.dll2021-06-23 21:05:04.880 23542300x800000000000000021308Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.833{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF787ADEFE465139F8F5031AB3D2F25,SHA256=DB862E9CB84C4D404430309F86D8A75D709C8B7084E3344C97FBDDD702D3710A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021307Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3C04-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021306Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.755{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3C04-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021305Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.755{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3C04-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021304Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3B04-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021303Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.708{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3B04-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021302Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.708{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3B04-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021301Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:04.630{4DB9351A-A200-60D3-3A04-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18c4-0\PresentationFramework-SystemData.dll2021-06-23 21:05:04.630 10341000x800000000000000021300Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.583{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3A04-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021299Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.567{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3A04-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021298Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.567{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3A04-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021297Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.520{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3904-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021296Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.505{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3904-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021295Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.505{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3904-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021294Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:04.458{4DB9351A-A200-60D3-3804-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1654-0\PresentationFramework-SystemCore.dll2021-06-23 21:05:04.458 10341000x800000000000000021293Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.395{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3804-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021292Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.380{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3804-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021291Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.380{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3804-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021290Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.301{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3704-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021289Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.286{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3704-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021288Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.286{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3704-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021287Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:04.176{4DB9351A-A1FF-60D3-3604-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bec-0\PresentationBuildTasks.dll2021-06-23 21:05:04.176 23542300x800000000000000021286Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.083{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=653754779A03447FA5D525B6BB2976AD,SHA256=BE5C1FE0E7D772E1B8849642B14931E9F7B3082D0B41469C832653A6B5A34FD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021338Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.942{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-4404-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021337Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.926{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-4404-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021336Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.926{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-4404-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021335Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.849{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-4304-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021334Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.833{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A0047A3D92CC9D003B173BD0EB65125,SHA256=88FE885D0CB3A534F1A7843CC47489E26431E0BA8A0F1098B361D5A31973EF60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021333Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.833{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-4304-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021332Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.833{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-4304-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021331Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:05.708{4DB9351A-A201-60D3-4204-00000000CF01}6688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a20-0\PresentationFramework.Aero.dll2021-06-23 21:05:05.708 10341000x800000000000000021330Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.411{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-4204-00000000CF01}6688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021329Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.395{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-4204-00000000CF01}6688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021328Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.395{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-4204-00000000CF01}6688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021327Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.333{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-4104-00000000CF01}4704C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021326Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.317{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-4104-00000000CF01}4704C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021325Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.317{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-4104-00000000CF01}4704C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021324Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.287{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=060FF845EFAB055A562BE4FF73C4FF73,SHA256=74D85300AFF260236AF9387D4B02A55701D45451BC25FF4264212CA287375D00,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021323Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:05.255{4DB9351A-A201-60D3-4004-00000000CF01}5112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13f8-0\PresentationFramework-SystemXmlLinq.dll2021-06-23 21:05:05.255 10341000x800000000000000021322Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.223{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-4004-00000000CF01}5112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021321Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.208{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-4004-00000000CF01}5112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021320Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.208{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-4004-00000000CF01}5112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021319Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.161{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-3F04-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021318Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.145{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-3F04-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021317Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.145{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-3F04-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021316Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:05.083{4DB9351A-A201-60D3-3E04-00000000CF01}2632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a48-0\PresentationFramework-SystemXml.dll2021-06-23 21:05:05.083 10341000x800000000000000021315Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.005{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-3E04-00000000CF01}2632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021314Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.005{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-3E04-00000000CF01}2632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021313Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.005{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-3E04-00000000CF01}2632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021354Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.911{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01FA9BEE07AC6FA3C96B5C9C0FFB700,SHA256=02A556AE464EF0247350101505D2FA9F2E2DA85B4C095E2ECE0739592CBCA1DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021353Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.614{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A202-60D3-4804-00000000CF01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021352Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.583{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A202-60D3-4804-00000000CF01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021351Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.583{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A202-60D3-4804-00000000CF01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021350Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.505{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A202-60D3-4704-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021349Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.473{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A202-60D3-4704-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021348Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.473{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A202-60D3-4704-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021347Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:06.411{4DB9351A-A202-60D3-4604-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a3c-0\PresentationFramework.Classic.dll2021-06-23 21:05:06.411 23542300x800000000000000021346Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.333{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7843491CC5BF15F5987348006E4E8F92,SHA256=0C880941466C4654861ED6EFBBD39E1441BD58EF04032BE0502780C4F1488540,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021345Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.223{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A202-60D3-4604-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021344Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.208{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A202-60D3-4604-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021343Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.208{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A202-60D3-4604-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021342Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.145{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A202-60D3-4504-00000000CF01}3568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021341Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.114{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A202-60D3-4504-00000000CF01}3568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021340Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.114{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A202-60D3-4504-00000000CF01}3568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021339Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:06.051{4DB9351A-A201-60D3-4404-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13b8-0\PresentationFramework.AeroLite.dll2021-06-23 21:05:06.051 23542300x800000000000000021370Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.926{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7463EAFB7F9F8F37F3987882112897C,SHA256=20F886EC2DB78787D5D99DCD5677EFB3D52EB1F368B20F4EC4B91629B25CCC62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021369Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.840{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A203-60D3-4C04-00000000CF01}6468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021368Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.818{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A203-60D3-4C04-00000000CF01}6468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021367Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.818{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A203-60D3-4C04-00000000CF01}6468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021366Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.676{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A203-60D3-4B04-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021365Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.630{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A203-60D3-4B04-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021364Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.630{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A203-60D3-4B04-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021363Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:07.489{4DB9351A-A203-60D3-4A04-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b88-0\PresentationFramework.Royale.dll2021-06-23 21:05:07.489 23542300x800000000000000021362Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.489{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1389588F480FBD5FBFCD05409A09FC18,SHA256=F9B395CEB52B5F2ED9DF1D76FDA9B2A29ABDE82096F2619CC781DBD3E79C5981,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021361Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.287{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A203-60D3-4A04-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021360Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.255{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A203-60D3-4A04-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021359Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.255{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A203-60D3-4A04-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021358Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.145{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A203-60D3-4904-00000000CF01}6960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021357Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.114{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A203-60D3-4904-00000000CF01}6960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021356Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.114{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A203-60D3-4904-00000000CF01}6960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021355Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:07.005{4DB9351A-A202-60D3-4804-00000000CF01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1348-0\PresentationFramework.Luna.dll2021-06-23 21:05:07.005 23542300x800000000000000021379Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.942{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A1AB4DDDD6A20DC375D174865CB8B1,SHA256=82A8D425CA7CE7A9EDA34A4BEE0F0CF9EF316BD1B630ECECD1C608933873B52C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021378Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.801{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A204-60D3-4E04-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021377Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.770{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A204-60D3-4E04-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021376Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.770{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A204-60D3-4E04-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021375Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.708{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A204-60D3-4D04-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021374Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.692{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A204-60D3-4D04-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021373Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.692{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A204-60D3-4D04-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021372Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.676{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F765E23A5F30B500F8943DAB11687D9A,SHA256=FC4AFED1A89BD6037F3B65A263DE842E301BBE2C6FB492839FC8E271A67909E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021371Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:08.551{4DB9351A-A203-60D3-4C04-00000000CF01}6468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1944-0\PresentationUI.dll2021-06-23 21:05:08.551 23542300x800000000000000021381Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:09.958{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4C538636DEB9C44DA7967F84F1E5E6,SHA256=38A81DEEED83CF8F4A1979659B23570DE553BD6205C07E16F7102C82CBCA1A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021380Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:09.708{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83029E4547FC17C3765E29E4FC5116EA,SHA256=174B5C8F926F26ADA495135E69C2F872F170747FDB10C3C86516AAFCCDB88AB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021387Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:10.984{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A206-60D3-4F04-00000000CF01}7044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021386Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:10.968{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1710ED13A4BAFA0824CADF5CD1AEDC,SHA256=CAE1DE25FEEDDA4B13F8E2AD9F26587303FD74C063488F2E042282DE58360218,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021385Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:10.953{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A206-60D3-4F04-00000000CF01}7044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021384Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:10.953{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A206-60D3-4F04-00000000CF01}7044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021383Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:10.828{4DB9351A-A204-60D3-4E04-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\cb8-0\ReachFramework.dll2021-06-23 21:05:10.828 354300x800000000000000021382Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.091{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61435-false10.0.1.12-8000- 23542300x800000000000000021405Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.955{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08AFAFB07B1C982F3C49329E6FAE1CA3,SHA256=85EF5B7190CE9A78A59AD487C1F57C033D8C2F559256564886AAA5E721CF69E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021404Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A207-60D3-5404-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021403Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.640{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A207-60D3-5404-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021402Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.640{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A207-60D3-5404-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021401Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.578{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A207-60D3-5304-00000000CF01}7152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021400Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.562{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A207-60D3-5304-00000000CF01}7152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021399Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.562{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A207-60D3-5304-00000000CF01}7152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021398Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:11.499{4DB9351A-A207-60D3-5204-00000000CF01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11f0-0\SMDiagnostics.dll2021-06-23 21:05:11.499 10341000x800000000000000021397Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.390{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A207-60D3-5204-00000000CF01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021396Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.359{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A207-60D3-5204-00000000CF01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021395Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.359{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A207-60D3-5204-00000000CF01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021394Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.312{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A207-60D3-5104-00000000CF01}6748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021393Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.296{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A207-60D3-5104-00000000CF01}6748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021392Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.296{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A207-60D3-5104-00000000CF01}6748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021391Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:11.249{4DB9351A-A207-60D3-5004-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1878-0\SecurityAuditPoliciesSnapIn.dll2021-06-23 21:05:11.249 10341000x800000000000000021390Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.124{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A207-60D3-5004-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021389Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.093{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A207-60D3-5004-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021388Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.093{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A207-60D3-5004-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021420Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.984{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A208-60D3-5804-00000000CF01}5608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021419Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.953{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A208-60D3-5804-00000000CF01}5608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021418Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.937{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A208-60D3-5804-00000000CF01}5608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021417Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.749{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A208-60D3-5704-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021416Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.718{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A208-60D3-5704-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021415Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.718{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A208-60D3-5704-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021414Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:12.640{4DB9351A-A208-60D3-5604-00000000CF01}4204C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\106c-0\SrpUxSnapIn.dll2021-06-23 21:05:12.640 10341000x800000000000000021413Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.343{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A208-60D3-5604-00000000CF01}4204C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021412Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.296{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A208-60D3-5604-00000000CF01}4204C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021411Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.296{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A208-60D3-5604-00000000CF01}4204C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021410Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.187{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A208-60D3-5504-00000000CF01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021409Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.140{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A208-60D3-5504-00000000CF01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021408Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.140{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A208-60D3-5504-00000000CF01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021407Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:05:12.110{4DB9351A-A207-60D3-5404-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1938-0\SMSvcHost.exe2021-06-23 21:05:12.110 23542300x800000000000000021406Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.000{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B98F10D0FC2D03DE8E8A7152ECC8DDA,SHA256=1D3517E932488BA09534CF28858A767FA9A74D6A7D7AD0C0D40896258CFFF8AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021422Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:13.203{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B18DD7CB9B082140B9252D7C00D6D7A7,SHA256=D67646ADAE37DD4116C354B3E39920700D097C3DE333A0498028FF66716707B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021421Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:13.031{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AE0B24219050A5929437AA060AFCC6,SHA256=A817657CBD96BA0F257AEF673EEF49886CE288B23F12272675135608C9004327,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000021424Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:05:14.484{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76873-0x763b4aab) 23542300x800000000000000021423Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:14.031{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7AEF905725A38B8190FD1F7BB110C3,SHA256=F94CF077CF7A62F25F012F599CFB92F4CC254379D4AE9BF262BF0CC4B12A619C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021433Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.953{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A20B-60D3-5A04-00000000CF01}2080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021432Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.937{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A20B-60D3-5A04-00000000CF01}2080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021431Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.937{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A20B-60D3-5A04-00000000CF01}2080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021430Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.468{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A20B-60D3-5904-00000000CF01}3836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021429Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.453{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A20B-60D3-5904-00000000CF01}3836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021428Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.453{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A20B-60D3-5904-00000000CF01}3836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021427Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:15.281{4DB9351A-A208-60D3-5804-00000000CF01}5608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15e8-0\System.Activities.dll2021-06-23 21:05:15.281 354300x800000000000000021426Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:14.117{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61436-false10.0.1.12-8000- 23542300x800000000000000021425Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.046{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7213C4F799BC9D4AC6C0B2944A2A021,SHA256=3489E3E203A8DFD04B5E5CEC0DF927EC4CBABE516FC58D389EA324AE7922630E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021436Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:16.468{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFACF56D6C08FF04EE6B085C33D04288,SHA256=4A029F8B1DE7D40C0F0D7975E1345EACD598E78C4CC3161C90B36449921726D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021435Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:14.476{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-663.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x800000000000000021434Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:16.046{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D333038D66693EC651E28CA86FA6EC,SHA256=1704A36780E274F613ED4311370A6C67BD1A3776AFFF934622E59AB00202712B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021451Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.937{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A20D-60D3-5E04-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021450Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.921{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A20D-60D3-5E04-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021449Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.921{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A20D-60D3-5E04-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021448Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A20D-60D3-5D04-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021447Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.765{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A20D-60D3-5D04-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021446Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.765{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A20D-60D3-5D04-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021445Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:17.703{4DB9351A-A20D-60D3-5C04-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19f4-0\System.Activities.DurableInstancing.dll2021-06-23 21:05:17.703 10341000x800000000000000021444Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.390{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A20D-60D3-5C04-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021443Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.374{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A20D-60D3-5C04-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021442Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.374{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A20D-60D3-5C04-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021441Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.218{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A20D-60D3-5B04-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021440Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.203{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A20D-60D3-5B04-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021439Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.203{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A20D-60D3-5B04-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021438Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:17.093{4DB9351A-A20B-60D3-5A04-00000000CF01}2080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\820-0\System.Activities.Core.Presentation.dll2021-06-23 21:05:17.093 23542300x800000000000000021437Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.062{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B4B082A33107EDE66202AE9DFBB097,SHA256=C26F3FA964E6407E1323AD09C16C6A8FA942DDCA5540AD7F4E7EC2881D15D77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021453Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:18.234{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCA0D4B5F83FF9FA0674424BFE4E094E,SHA256=198BEDDA2AAE52C9CD98633F6E9DDAFBDDA200A0876D5C6CC716ACB2998CEFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021452Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:18.078{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680D81798FA77E861C45DF99CDA7E34F,SHA256=C358C800BF4F99C5EC4DE80C3383DA39F0BC628786CE9984B1AB5382E9C49557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021454Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:19.109{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4C3DBFF169D48DF93BDD4E58E52A08,SHA256=4711EC3FE2E34E29FED2D20F7AFE77477E209FE7C7E33C0A4D0B74414E387CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021459Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:20.968{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A210-60D3-5F04-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021458Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:20.906{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A210-60D3-5F04-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021457Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:20.906{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A210-60D3-5F04-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021456Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:20.671{4DB9351A-A20D-60D3-5E04-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d04-0\System.Activities.Presentation.dll2021-06-23 21:05:20.671 23542300x800000000000000021455Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:20.124{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C607E3EF1AB64DFA4555EF3BE91B7487,SHA256=C8C4E98F93F7A014D88D993C2A9379E5F2107C1A5B60BF7CE19F83CEEE0541B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021479Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.906{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63DE781B8338316706E8E2299CDFA238,SHA256=CE14D976BA03F017DAB243D84C0CE4609571BD977A2B7FBE1E3415DF826D7CA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021478Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.859{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A211-60D3-6404-00000000CF01}4228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021477Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.843{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A211-60D3-6404-00000000CF01}4228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021476Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.843{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A211-60D3-6404-00000000CF01}4228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021475Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A211-60D3-6304-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021474Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.781{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A211-60D3-6304-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021473Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.781{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A211-60D3-6304-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021472Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:21.718{4DB9351A-A211-60D3-6204-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a70-0\System.AddIn.Contract.dll2021-06-23 21:05:21.718 10341000x800000000000000021471Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A211-60D3-6204-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021470Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.656{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A211-60D3-6204-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021469Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.656{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A211-60D3-6204-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021468Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.609{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A211-60D3-6104-00000000CF01}6988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021467Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.578{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A211-60D3-6104-00000000CF01}6988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021466Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.578{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A211-60D3-6104-00000000CF01}6988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021465Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:21.468{4DB9351A-A211-60D3-6004-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18c4-0\System.AddIn.dll2021-06-23 21:05:21.468 354300x800000000000000021464Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:20.101{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61437-false10.0.1.12-8000- 23542300x800000000000000021463Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.140{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EF4B7FE9CCE7E79EF81742ACE2DDAB,SHA256=E4F956A7328F158E40FC922C782F825A0F58FC233B78D7392893A92451AA4E1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021462Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.078{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A211-60D3-6004-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021461Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.046{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A211-60D3-6004-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021460Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.046{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A211-60D3-6004-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021498Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.968{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A212-60D3-6904-00000000CF01}4972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021497Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.937{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A212-60D3-6904-00000000CF01}4972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021496Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.937{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A212-60D3-6904-00000000CF01}4972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021495Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:22.874{4DB9351A-A212-60D3-6804-00000000CF01}2904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b58-0\System.ComponentModel.DataAnnotations.dll2021-06-23 21:05:22.874 10341000x800000000000000021494Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.781{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A212-60D3-6804-00000000CF01}2904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021493Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.765{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A212-60D3-6804-00000000CF01}2904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021492Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.765{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A212-60D3-6804-00000000CF01}2904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021491Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.703{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A212-60D3-6704-00000000CF01}1328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021490Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.687{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A212-60D3-6704-00000000CF01}1328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021489Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.687{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A212-60D3-6704-00000000CF01}1328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021488Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:22.624{4DB9351A-A212-60D3-6604-00000000CF01}5696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1640-0\System.ComponentModel.Composition.Registration.dll2021-06-23 21:05:22.624 10341000x800000000000000021487Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.515{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A212-60D3-6604-00000000CF01}5696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021486Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.484{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A212-60D3-6604-00000000CF01}5696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021485Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.484{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A212-60D3-6604-00000000CF01}5696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021484Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.437{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A212-60D3-6504-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021483Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.421{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A212-60D3-6504-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021482Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.421{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A212-60D3-6504-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021481Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:22.343{4DB9351A-A211-60D3-6404-00000000CF01}4228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1084-0\System.ComponentModel.Composition.dll2021-06-23 21:05:22.343 23542300x800000000000000021480Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.156{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C34E63E11E6C05D5C46B3B8F0223D1B,SHA256=E82866221032EA0CA84479B177DCB50CD29A9CE9C48FEEBD2F13925E36A1B7C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021510Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.562{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A213-60D3-6C04-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021509Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.546{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A213-60D3-6C04-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021508Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.546{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A213-60D3-6C04-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021507Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.437{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57CFD2DED817FFE2FD3BA4D55F934A1D,SHA256=7865FE757B0D73587D03859DCD7E6D0D9183E60B26B0925BB6BF21DEDA29E2AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021506Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.359{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A213-60D3-6B04-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021505Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.328{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A213-60D3-6B04-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021504Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.328{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A213-60D3-6B04-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021503Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:23.234{4DB9351A-A213-60D3-6A04-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e14-0\System.Data.DataSetExtensions.dll2021-06-23 21:05:23.234 23542300x800000000000000021502Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.171{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8098841F36C7109628D839FFD0CA11,SHA256=849F08D856C693133E052DF11094367C9A7FAC512BDAFCA1B77F9A30E7108B04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021501Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.109{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A213-60D3-6A04-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021500Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.093{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A213-60D3-6A04-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021499Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.093{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A213-60D3-6A04-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021512Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:24.578{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30F0528BF66578B8AC1879FD2A376E68,SHA256=C3E96FFD1407346743050A4A32AD7F8A9B21E2BB32DED3EA746B35B1FC50CE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021511Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:24.187{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F515992E57D5C66C0E9260D73F4C3EDA,SHA256=4874F4B0FA1E21BA0E4FE3248C111D3345748FA02238FFAC07DBABAC8E667058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021513Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:25.234{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F8DC037402B5DC2E649770E1797BAA,SHA256=67C9CCA69ABCA0DA37D3B36BA9D5F9A9F1139AE3DEC9C7E206876CFC26E9EB4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021516Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:25.307{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61438-false10.0.1.12-8000- 23542300x800000000000000021515Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:26.265{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F6F8BABE0ED19A9C4AD380954E3E9B,SHA256=778963B0668B92CB41452859DE5DEB55EA2E78841A8B324646AAD55AC3AD5575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021514Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:26.140{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F307C063410ED71C76FD865FF89280A9,SHA256=05BDA195C59C489511D2F923F1734B02930840EC42A1E02DEE204089F42C0127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021517Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:27.284{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E290BC47F8FA9CBD252D4D3962F534C7,SHA256=CEA604697B08ECB65EEC081E823146FEFA52B82B60074ED3EF6737FA68DA7823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021518Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:28.296{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AEF5CEE8F5F87AB340B6A29543D903E,SHA256=3A93ED5E75E58EC4FB61EB1BDD181F63DC48BD1FBC30C16CFEDDA171BD08029D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021519Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:29.312{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2518805EE2700741A4A4B24F862064,SHA256=C0EC13D3AD7894D24735B803A262A14DF4A9E670FCA251ED6C5D210387153820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021520Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:30.357{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B15DBA139149F4DF8204EA16E52EA16,SHA256=77AC113F825A5AFB91DE6DFADAD0AD169FA4A90FBABF0B703A87410EF5C0C050,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021522Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:31.731{4DB9351A-A213-60D3-6C04-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\94c-0\System.Data.Entity.dll2021-06-23 21:05:31.731 23542300x800000000000000021521Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:31.372{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F4FB9519C3BCBA3A039A9651B35932,SHA256=C5CB7176B191C177B6042BD1728AFCBF6F9C524DEA4C0EA11F0E3640FB18831A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021530Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:31.130{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61439-false10.0.1.12-8000- 10341000x800000000000000021529Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.404{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21C-60D3-6E04-00000000CF01}2364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021528Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.388{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33700B0080928A4B41C98B7F77510B18,SHA256=D5B141781B3E6643CB989819DA85D5D95BC7D0343D11C3BC6B4625CCC0BF90CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021527Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.388{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A21C-60D3-6E04-00000000CF01}2364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021526Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.388{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21C-60D3-6E04-00000000CF01}2364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021525Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.201{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21C-60D3-6D04-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021524Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.170{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A21C-60D3-6D04-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021523Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.170{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21C-60D3-6D04-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021540Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.435{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80D71C873B75FF5B86F14EA140E2668,SHA256=11F0EE4468E32D104217DD5089FEDE17452BFC053685B6210A5BBB7675FD9B7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021539Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.294{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21D-60D3-7004-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021538Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.278{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A21D-60D3-7004-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021537Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.278{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21D-60D3-7004-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021536Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.185{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F2F680E681594DB0D34EA67C49DEBFF,SHA256=776BF8EA469B29F7414E1D063B137402A192E725BA143DA274B8CAD91456746E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021535Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.185{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=099F10003B16DDF11F4E5182F42DF02D,SHA256=ED219A76F9E5BBE02EDCEE9B2F869F403ECD5360BE76A42C1DC4B464CCD128D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021534Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.169{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21D-60D3-6F04-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021533Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.154{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A21D-60D3-6F04-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021532Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.154{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21D-60D3-6F04-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021531Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:33.060{4DB9351A-A21C-60D3-6E04-00000000CF01}2364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\93c-0\System.Data.Entity.Design.dll2021-06-23 21:05:33.060 10341000x800000000000000021549Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.794{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21E-60D3-7204-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021548Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.778{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A21E-60D3-7204-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021547Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.778{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21E-60D3-7204-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021546Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.669{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21E-60D3-7104-00000000CF01}5524C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021545Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.653{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A21E-60D3-7104-00000000CF01}5524C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021544Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.653{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21E-60D3-7104-00000000CF01}5524C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021543Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:34.530{4DB9351A-A21D-60D3-7004-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14f4-0\System.Data.Linq.dll2021-06-23 21:05:34.530 23542300x800000000000000021542Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.513{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F2F680E681594DB0D34EA67C49DEBFF,SHA256=776BF8EA469B29F7414E1D063B137402A192E725BA143DA274B8CAD91456746E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021541Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.450{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16810E130834E96FFA88FD007A8194BF,SHA256=FD46B09DD49768BE752BAF2A6F17BEF22A309C3F20D56836E24A7BA538E97D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021558Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.669{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74F1800B3517F57674783FD418DE7D0C,SHA256=CA317854BC893731A386C5557FD5355F0F5006F35F85E732CEB7E1901A3A9B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021557Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.606{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21F-60D3-7404-00000000CF01}7056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021556Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.591{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A21F-60D3-7404-00000000CF01}7056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021555Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.591{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21F-60D3-7404-00000000CF01}7056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021554Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.497{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEAFFC96986C233E8F838C815E9F66B,SHA256=B38FEAF40577383A50160DDB4704CC0F45335541EE31E7BFFCBDF7BA60D15B6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021553Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.419{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21F-60D3-7304-00000000CF01}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021552Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.403{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A21F-60D3-7304-00000000CF01}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021551Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.403{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21F-60D3-7304-00000000CF01}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021550Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:35.310{4DB9351A-A21E-60D3-7204-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\10b4-0\System.Data.OracleClient.dll2021-06-23 21:05:35.310 10341000x800000000000000021566Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.685{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A220-60D3-7604-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021565Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.669{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A220-60D3-7604-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021564Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.669{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A220-60D3-7604-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021563Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.606{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A220-60D3-7504-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021562Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.591{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A220-60D3-7504-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021561Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.591{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A220-60D3-7504-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021560Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.497{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C18299BEA84C10FBDE1C4C1D7955B2,SHA256=A7DACA61E86C6E7B17EC87EE4A3C5673BDFEE3DE7436992DB3AE0E206971F60C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021559Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:36.481{4DB9351A-A21F-60D3-7404-00000000CF01}7056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b90-0\System.Data.Services.dll2021-06-23 21:05:36.481 10341000x800000000000000021579Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.966{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A221-60D3-7904-00000000CF01}5176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021578Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.936{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A221-60D3-7904-00000000CF01}5176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021577Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.936{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A221-60D3-7904-00000000CF01}5176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021576Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:37.841{4DB9351A-A221-60D3-7804-00000000CF01}3680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e60-0\System.Data.Services.Design.dll2021-06-23 21:05:37.841 23542300x800000000000000021575Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.622{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=756B86EE4615FCFA920FBE59D76319FD,SHA256=D7F5DBDE775F6947000457F467C57153585300F7AA0CF3EBDD8692455842FA92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021574Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.575{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A221-60D3-7804-00000000CF01}3680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021573Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.560{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A221-60D3-7804-00000000CF01}3680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021572Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.560{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A221-60D3-7804-00000000CF01}3680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021571Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.528{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0EE1798EBEDBF7EA9F782A5F990164,SHA256=E0783BC314D130756FF9886EBE4E3A55320B167F991B0031D5C6B85BF541BB82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021570Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.466{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A221-60D3-7704-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021569Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.450{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A221-60D3-7704-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021568Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.450{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A221-60D3-7704-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021567Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:37.356{4DB9351A-A220-60D3-7604-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1128-0\System.Data.Services.Client.dll2021-06-23 21:05:37.356 23542300x800000000000000021585Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:38.950{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E5646A3287DCC9C0B5CA3E88504A85A,SHA256=22E7418502D9C84B05DFD4979D0F9424B38C064AEA43D75F841BF4E31D1E3064,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021584Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.146{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61440-false10.0.1.12-8000- 23542300x800000000000000021583Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:38.560{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C710D9BDA18847BB504BEDC230AD4C94,SHA256=838A66199B2863B3A863328C270161D77B071586DA5306C65057CBEC6613991C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021582Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:38.080{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A222-60D3-7A04-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021581Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:38.044{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A222-60D3-7A04-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021580Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:38.044{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A222-60D3-7A04-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021594Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.575{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89049BC2A7F9AC5CF3D6CC60B57BC0DA,SHA256=8F953276C5DF2F11D62BE5C436379B6B01CD45715E3B7AB8A226B36A3251175B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021593Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.513{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A223-60D3-7C04-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021592Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.497{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A223-60D3-7C04-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021591Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.497{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A223-60D3-7C04-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021590Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.419{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A223-60D3-7B04-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021589Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.403{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A223-60D3-7B04-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021588Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.403{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A223-60D3-7B04-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021587Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:39.263{4DB9351A-A222-60D3-7A04-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\934-0\System.Data.SqlXml.dll2021-06-23 21:05:39.263 23542300x800000000000000021586Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.122{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021603Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A224-60D3-7E04-00000000CF01}6668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021602Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.669{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A224-60D3-7E04-00000000CF01}6668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021601Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.669{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A224-60D3-7E04-00000000CF01}6668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021600Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.606{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F347BB36F5CA0040852AD07670D8F48,SHA256=211A548E63DE8B69A365DDC53185F37AFAD78F36285272B68C8C794E007D9832,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021599Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.481{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A224-60D3-7D04-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021598Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.466{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A224-60D3-7D04-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021597Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.466{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A224-60D3-7D04-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021596Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.403{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34DB03FEA88C70FA10D45A6C51EB4767,SHA256=6DEAC778DADA9C81DFA950A94E5BA3B0A05B42282DC4B4F76445B1BD3CDCD2C0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021595Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:40.341{4DB9351A-A223-60D3-7C04-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1898-0\System.Deployment.dll2021-06-23 21:05:40.341 23542300x800000000000000021606Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:41.638{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C47036AEFBD5F4CF326DAE38E78D1D9,SHA256=B08873BE4A628EE8DE87B8DF06BCCDDB4A11498C3CE5AFF97F64492E92AFD47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021605Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:41.560{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A53861522D681CE309A89016B5FCE91E,SHA256=D80DCC8A969B5FC1C2E41E8CC3632D9D2C84D0F0664087FC6D6608F4ED1A31F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021604Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.162{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61441-false10.0.1.12-8089- 23542300x800000000000000021607Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:42.654{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECAD8F000173F42D2A0796567B66CC4,SHA256=3EC57827154AF4B86E65183B55A585FAD1944B007AF6BD65A289D3FBFE82755E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021608Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:43.685{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CA121D696E4D1A32E17FD094AFF115,SHA256=D978BC910E59FFD22F36D762A5A4D6914C4BC951CFDEB728D9E6F53B371C1B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021611Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:44.716{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35CDEF3F5FECFB8E7F71D876AF1A0A9,SHA256=92EED0AF9B60BECBF246ACDFC15A3DE6AC191AB403FD3FAB6307BF4CDD911C61,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021610Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:44.669{4DB9351A-A224-60D3-7E04-00000000CF01}6668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a0c-0\System.Design.dll2021-06-23 21:05:44.669 354300x800000000000000021609Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:42.161{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61442-false10.0.1.12-8000- 11241100x800000000000000021626Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:45.903{4DB9351A-A229-60D3-8204-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\cd8-0\System.DirectoryServices.AccountManagement.dll2021-06-23 21:05:45.903 23542300x800000000000000021625Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.763{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7EA006F8BF19EACF68087C1E5136BE,SHA256=0542BCBB1D80A768298ABED7F3A5A176580110E631D1A0F5232528C2412015B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021624Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.497{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A229-60D3-8204-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021623Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.466{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A229-60D3-8204-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021622Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.466{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A229-60D3-8204-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021621Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.388{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A229-60D3-8104-00000000CF01}6680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021620Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.357{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A229-60D3-8104-00000000CF01}6680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021619Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.357{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A229-60D3-8104-00000000CF01}6680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021618Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:45.263{4DB9351A-A229-60D3-8004-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\191c-0\System.Device.dll2021-06-23 21:05:45.263 10341000x800000000000000021617Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.169{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A229-60D3-8004-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021616Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.138{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A229-60D3-8004-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021615Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.138{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A229-60D3-8004-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021614Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.076{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A229-60D3-7F04-00000000CF01}3744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021613Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.044{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A229-60D3-7F04-00000000CF01}3744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021612Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.044{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A229-60D3-7F04-00000000CF01}3744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021642Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:46.919{4DB9351A-A22A-60D3-8604-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\c38-0\System.Drawing.Design.dll2021-06-23 21:05:46.919 23542300x800000000000000021641Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.778{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639C76E410F96BCB7ACFE314A86B18C3,SHA256=773047EE17827F637B5976DA9C864A3DE36827703C243A3899FA423C0D437F3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021640Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.732{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22A-60D3-8604-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021639Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.701{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A22A-60D3-8604-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021638Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.701{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22A-60D3-8604-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021637Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.653{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22A-60D3-8504-00000000CF01}4904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021636Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.606{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22A-60D3-8504-00000000CF01}4904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021635Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.606{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22A-60D3-8504-00000000CF01}4904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021634Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:46.513{4DB9351A-A22A-60D3-8404-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19fc-0\System.DirectoryServices.Protocols.dll2021-06-23 21:05:46.513 10341000x800000000000000021633Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.123{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22A-60D3-8404-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021632Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.106{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=966A92FF873A9E36852D68993952F9E4,SHA256=7AA43CDB2C8C4286DDFC8ACA65BB2CD664DA870CFA47C99C023A66FAB140F482,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021631Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.106{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22A-60D3-8404-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021630Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.106{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22A-60D3-8404-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021629Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.044{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22A-60D3-8304-00000000CF01}6808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021628Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.013{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A22A-60D3-8304-00000000CF01}6808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021627Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.013{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22A-60D3-8304-00000000CF01}6808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021659Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:47.950{4DB9351A-A22B-60D3-8A04-00000000CF01}6756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a64-0\System.EnterpriseServices.dll2021-06-23 21:05:47.950 11241100x800000000000000021658Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:47.919{4DB9351A-A22B-60D3-8A04-00000000CF01}6756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a64-0\System.EnterpriseServices.Wrapper.dll2021-06-23 21:05:47.919 23542300x800000000000000021657Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.794{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71EDDB54CAD5C4B8BAAF84A42D04A4B,SHA256=2E148FFD581CAB7A3E8B6E43F9026CC78F79127DD2CC74628661A351C1E8ACF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021656Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.513{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22B-60D3-8A04-00000000CF01}6756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021655Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.497{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22B-60D3-8A04-00000000CF01}6756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021654Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.497{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22B-60D3-8A04-00000000CF01}6756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021653Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.450{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22B-60D3-8904-00000000CF01}1084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021652Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.419{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22B-60D3-8904-00000000CF01}1084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021651Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.419{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22B-60D3-8904-00000000CF01}1084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021650Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:47.356{4DB9351A-A22B-60D3-8804-00000000CF01}772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\304-0\System.Dynamic.dll2021-06-23 21:05:47.356 10341000x800000000000000021649Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.107{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22B-60D3-8804-00000000CF01}772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021648Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.107{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=414F7DE387F3E07AB726D0BEE4A10066,SHA256=337724CF8E4B05B4E9E37DA396C2274720237D368819099B847A2CBAED60287A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021647Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.075{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A22B-60D3-8804-00000000CF01}772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021646Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.075{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22B-60D3-8804-00000000CF01}772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021645Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.013{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22A-60D3-8704-00000000CF01}2408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021644Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.997{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22A-60D3-8704-00000000CF01}2408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021643Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.997{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22A-60D3-8704-00000000CF01}2408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021667Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.810{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F201F1EED5EF5601C29EA8B9C6FB1A,SHA256=413C49490BEB50B76B127D7B5CE78A572AFB18668869D753A3841DD2A757A62C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021666Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.419{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37DE29E09286F6EF4FA5A105E5F68085,SHA256=0C904EE09191C9FDE771FF920546B89C772B4F3AC9F8ED7DD669F96089D53BBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021665Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.325{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22C-60D3-8C04-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021664Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.294{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22C-60D3-8C04-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021663Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.294{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22C-60D3-8C04-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021662Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.200{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22C-60D3-8B04-00000000CF01}6444C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021661Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.169{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22C-60D3-8B04-00000000CF01}6444C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021660Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.169{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22C-60D3-8B04-00000000CF01}6444C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021669Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:49.950{4DB9351A-A22C-60D3-8C04-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e0c-0\System.IdentityModel.dll2021-06-23 21:05:49.950 23542300x800000000000000021668Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:49.810{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4926C9CBD798CD78171CAE066689F933,SHA256=A913EE42339CA66AE4FFE65CA6E0019CDBD7C3EB9E76A94FFE066E1E9729F2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021684Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.815{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE46173C8F668610AADCF89E301C589,SHA256=78EE806A84A7662DA1C533C857325D6F08749E682040930F96BA4BF645C3B174,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021683Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.799{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22E-60D3-9004-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021682Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.784{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A22E-60D3-9004-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021681Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.784{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22E-60D3-9004-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021680Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.487{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22E-60D3-8F04-00000000CF01}4272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021679Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.456{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A22E-60D3-8F04-00000000CF01}4272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021678Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.456{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22E-60D3-8F04-00000000CF01}4272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021677Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:50.393{4DB9351A-A22E-60D3-8E04-00000000CF01}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\171c-0\System.IdentityModel.Selectors.dll2021-06-23 21:05:50.393 10341000x800000000000000021676Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.268{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22E-60D3-8E04-00000000CF01}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000021675Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.114{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61443-false10.0.1.12-8000- 10341000x800000000000000021674Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.221{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22E-60D3-8E04-00000000CF01}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021673Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.206{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22E-60D3-8E04-00000000CF01}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021672Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.107{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22E-60D3-8D04-00000000CF01}3600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021671Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.075{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22E-60D3-8D04-00000000CF01}3600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021670Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.075{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22E-60D3-8D04-00000000CF01}3600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021708Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:51.987{4DB9351A-A22F-60D3-9604-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\198c-0\System.IO.Log.dll2021-06-23 21:05:51.987 23542300x800000000000000021707Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.816{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785C8446957744D0D6F4668FD4C89A11,SHA256=96F55DF08EABBF1851734A91154D1AC3658FA8C50D3682B976ACE637F8D87011,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021706Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.768{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22F-60D3-9604-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021705Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.753{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22F-60D3-9604-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021704Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.753{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22F-60D3-9604-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021703Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.690{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22F-60D3-9504-00000000CF01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021702Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.674{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A22F-60D3-9504-00000000CF01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021701Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.674{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22F-60D3-9504-00000000CF01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021700Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:51.596{4DB9351A-A22F-60D3-9404-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1864-0\System.IO.Compression.FileSystem.dll2021-06-23 21:05:51.596 10341000x800000000000000021699Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.565{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22F-60D3-9404-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021698Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.549{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22F-60D3-9404-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021697Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.549{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22F-60D3-9404-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021696Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.503{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22F-60D3-9304-00000000CF01}6788C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021695Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.487{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22F-60D3-9304-00000000CF01}6788C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021694Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.487{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22F-60D3-9304-00000000CF01}6788C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021693Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:51.424{4DB9351A-A22F-60D3-9204-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19f8-0\System.IO.Compression.dll2021-06-23 21:05:51.424 10341000x800000000000000021692Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.284{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22F-60D3-9204-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021691Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.253{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22F-60D3-9204-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021690Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.253{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22F-60D3-9204-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021689Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.206{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22F-60D3-9104-00000000CF01}6612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021688Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.174{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22F-60D3-9104-00000000CF01}6612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021687Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.174{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22F-60D3-9104-00000000CF01}6612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021686Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:51.112{4DB9351A-A22E-60D3-9004-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\fec-0\System.IdentityModel.Services.dll2021-06-23 21:05:51.112 23542300x800000000000000021685Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.081{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6F13B24738F1268A9F5308D66BB3EDC,SHA256=FA395725979C0DAB615473BF3C612DDA4FA5ED5618A103F23BB0368E59A7C330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021716Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.831{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29679210C1150072469DD397E3862661,SHA256=4B1002DBE85C7E2774912D3A3B706CEF8EB4AA335F675E45C692065D2F4C08F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021715Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.331{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8FA1943A2FABBAC5C3544158233DD89,SHA256=B18273EECAD546BC9D01425BFE18FA8030AB04C21786A3C5B6B464CC6FF8A3DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021714Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.284{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A230-60D3-9804-00000000CF01}3196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021713Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.253{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A230-60D3-9804-00000000CF01}3196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021712Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.253{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A230-60D3-9804-00000000CF01}3196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021711Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.065{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A230-60D3-9704-00000000CF01}6152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021710Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.049{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A230-60D3-9704-00000000CF01}6152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021709Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.049{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A230-60D3-9704-00000000CF01}6152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021726Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.846{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754A1F4E66E230EEE470E072C4B14D02,SHA256=A5255FA24D0A4B9CDEE6498A6772212AB53CF1EA8459D97690179D7517FA65ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021725Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.315{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95C3A167E690549D55BD8B4D6C54DABD,SHA256=7A3AFB7237BC84781919EB4E66AA087671DC0938C2579AD112A42150E87EBE55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021724Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A230-60D3-9904-00000000CF01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021723Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021722Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021721Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021720Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021719Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A230-60D3-9904-00000000CF01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021718Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A230-60D3-9904-00000000CF01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021717Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.973{4DB9351A-A230-60D3-9904-00000000CF01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021748Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.846{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE596F9695A384CE3A0B48026C4CBF1,SHA256=0842DB3BF6A3169B60FC85D571DA195B3EA4B49118798D24D13401AAF7C7DA71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021747Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A232-60D3-9B04-00000000CF01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021746Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021745Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021744Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021743Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021742Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A232-60D3-9B04-00000000CF01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021741Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A232-60D3-9B04-00000000CF01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021740Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.660{4DB9351A-A232-60D3-9B04-00000000CF01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service